Biometric safeguard method for use with a smartcard

ABSTRACT

A method for facilitating biometric security in a smartcard-reader transaction system is provided. The method includes determining if a transaction violates an established rule, such as a preset spending limit. The method also includes notifying a user to proffer a biometric sample in order to verify the identity of said user, and detecting a proffered biometric at a sensor to obtain a proffered biometric sample. The method additionally comprises verifying the proffered biometric sample and authorizing a transaction to continue upon verification of the proffered biometric sample.

FIELD OF INVENTION

The present invention relates generally to the use of integrated circuitcards, or “smartcards,” for commercial transactions and, moreparticularly, to methods and system for using biometrics with asmartcard in the context of a distributed transaction system.

BACKGROUND OF INVENTION

The term “smartcard” refers generally to wallet-sized or smaller cardsincorporating a microprocessor or microcontroller to store and managedata within the card. More complex than magnetic-stripe and stored-valuecards, smartcards may be characterized by sophisticated memorymanagement and security features. A typical smartcard may include amicrocontroller embedded within the card plastic which may beelectrically connected to an array of external contacts provided on thecard exterior. A smartcard microcontroller generally may include anelectrically-erasable and programmable read only memory (EEPROM) forstoring user data, random access memory (RAM) for scratch storage, andread only memory (ROM) for storing the card operating system. Relativelysimple microcontrollers may be adequate to control these functions.Thus, it may be not unusual for smartcards to utilize 8-bit, 5 MHZmicrocontrollers with about 8K of EEP-ROM memory (for example, theMotorola 6805 or Intel 8051 microcontrollers).

A number of standards have been developed to address general aspects ofintegrated circuit cards, e.g.: ISO 7816-1, Part 1: Physicalcharacteristics (1987); ISO 7816-2, Part 2: Dimensions and location ofthe contacts (1988); ISO 7816-3, Part 3: Electronic signals andtransmission protocols (1989, Amd. 1 1992, Amd. 2 1994); ISO 7816-4,Part 4: Inter-industry commands for interchange (1995); ISO 7816-5, Part5: Numbering system and registration procedure for applicationidentifiers (1994, Amd. 1 1995); ISO/IEC DIS 7816-6, Inter-industry dataelements (1995); ISO/IEC WD 7816-7, Part 7: Enhanced inter-industrycommands (1995); and ISO/IEC WD 7816-8, Part 8: Inter-industry securityarchitecture (1995). These standards may be hereby incorporated byreference. Furthermore, general information regarding magnetic stripecards and chip cards may be found in a number of standard texts, e.g.,Zoreda & Oton, “Smart Cards” (1994), and Rankl & Effing, “Smart CardHandbook” 1997), the contents of which may be hereby incorporated byreference.

While some smartcard systems have streamlined the transaction processand provided a system for managing more information, smartcardtechnology has still not adequately addressed some of the authenticationissues related to transactions. Moreover, while biometric technologyexists with respect to certain access systems and limited financialsystems, the use of biometric security in association with smartcardsremains underdeveloped and scarce. As such, a need exists to integratebiometric technology advances with smartcard technology.

Additionally, despite advances in information technology and processstreamlining with respect to travel arrangements, the modern travelermay be often subjected to unnecessary delays, petty inconveniences, andoppressive paperwork. These travel burdens may be most evident in theairline, hotel, and rental car industries, where arranging and payingfor services and accommodations may involve significant time delays dueto miscommunication, poor record-keeping, and a host of otheradministrative inefficiencies. As such, a need also exists to expand theuse of smartcards into travel-related applications.

SUMMARY OF INVENTION

The smartcard system is configured with a biometric security system. Thebiometric security system includes a smartcard and a readercommunicating with the system. The biometric security system alsoincludes a biometric sensor that detects biometric samples and a devicefor verifying biometric samples. In yet another embodiment, the presentinvention discloses methods for proffering and processing biometricsamples to facilitate authorization of transactions.

The present invention may provide methods and apparatus for a smartcardsystem which securely and conveniently integrates importanttravel-related applications with biometric security, thereby overcomingthe limitations of the prior art. In accordance with one aspect of thepresent invention, a smartcard system may comprise a cardholderidentification application and various additional applications useful inparticular travel contexts; for example, airline, hotel, rental car, andpayment-related applications. In accordance with another aspect of thepresent invention, a smartcard system further may comprise space andsecurity features within specific applications which provide partneringorganizations the ability to construct custom and secure filestructures.

In accordance with one aspect of the present invention, a dynamicsmartcard synchronization system comprises access points configured toinitiate a transaction in conjunction with a smartcard, an enterprisedata collection unit, and a card object database update system, alongwith a biometric security system. An exemplary dynamic synchronizationsystem (DSS) preferably comprises various smartcard access points, asecure support client server, a card object database update system(CODUS), one or more enterprise data synchronization interfaces (EDSI),an update logic system, one or more enterprise data collection units(EDCUs), and one or more smartcard access points configured tointeroperably accept and interface with smartcards. In an exemplaryembodiment, DSS comprises a personalization system and an accountmaintenance system configured to communicate with CODUS.

In accordance with a further aspect of the present invention,personalization of multi-function smartcards is accomplished using abiometric security system and a security server configured to generateand/or retrieve cryptographic key information from multiple enterprisekey systems during the final phase of the smartcard issuance process.

These features and other advantages of the system and method, as well asthe structure and operation of various exemplary embodiments of thesystem and method, are described below.

BRIEF DESCRIPTION OF DRAWINGS

The present invention may hereinafter be described in conjunction withthe appended drawing figures, wherein like numerals denote likeelements, and:

FIG. 1 illustrates an exemplary smartcard apparatus;

FIG. 2 is a schematic diagram of an exemplary smartcard integratedcircuit, showing various functional blocks;

FIG. 3 is an exemplary diagram of files and directories arranged in atypical tree structure;

FIG. 4 sets forth an exemplary database structure in accordance with anexemplary embodiment of the present invention;

FIG. 5 sets forth an exemplary cardholder ID data structure inaccordance with the present invention;

FIG. 6 sets forth an exemplary payment system data structure inaccordance with the present invention;

FIG. 7 sets forth an exemplary airline data structure in accordance withthe present invention;

FIG. 8 sets forth an exemplary rental car data structure in accordancewith the present invention;

FIG. 9 sets forth an exemplary hotel system data structure in accordancewith the present invention;

FIG. 10 illustrates an exemplary distributed transaction system usefulin practicing the present invention;

FIG. 11 is a schematic overview of an exemplary dynamic synchronizationsystem in accordance with various aspects of the present invention;

FIG. 12 is a schematic overview of an exemplary secure support clientserver;

FIG. 13 is a schematic overview of an exemplary enterprise datasynchronization interface;

FIG. 14 is a schematic overview of an exemplary update logic system;

FIG. 15 is a schematic overview of an exemplary enterprise datacollection unit;

FIG. 16 is a schematic overview of an exemplary card object databaseupdate system (CODUS);

FIG. 17 is a flowchart depicting an exemplary method for synchronizingpending transaction information;

FIG. 18 is a flowchart depicting an exemplary method for synchronizingupdate transaction information;

FIG. 19 is a schematic overview of an exemplary personalization system;

FIG. 20 is a flowchart depicting an exemplary method of smartcardpersonalization;

FIG. 21 is an exemplary transaction data structure suitable for use in atravel context;

FIG. 22 is another schematic illustration of an exemplary smartcard inaccordance with the present invention;

FIG. 23 is a depiction of an exemplary biometrics process in accordancewith the present invention;

FIG. 24 is a schematic illustration of an exemplary smartcard biometricsystem in accordance with the present invention;

FIG. 25 is a schematic illustration of an exemplary smartcard reader inaccordance with the present invention;

FIG. 26 is an exemplary depiction of a Track 2 layout in accordance withthe present invention; and

FIG. 27 is an exemplary depiction of another Track 2 layout inaccordance with the present invention.

DETAILED DESCRIPTION

Referring now to FIGS. 1 and 2, an exemplary smartcard system suitablefor practicing the present invention may now be described. A smartcard100 generally may comprise a card body 102 having a communication region108 for providing contact or non-contact communication between anexternal device (e.g., a card reader) and an integrated circuit 110encapsulated within card body 102. Communication region 108 preferablymay comprise six conductive pads 106 whose placement and size conform toISO-7816-2. More particularly, a communication region 108 in conformancewith ISO-7816-2 preferably may comprise VCC contact 106(a) (powersupply), RST contact 106(b) (reset), CLK contact 106(c) (externalclock), GND Contact 106(d) (ground), VPP contact 106(e) (programmingvoltage), and I/O contact 106(f) (data line).

VCC 106(a) may suitably provide power to IC 110 (typically 5.0 V+/−10%).CLK 106(c) may be suitably used to provide an external clock sourcewhich acts as a data transmission reference. RST 106(b) may be suitablyused to transmit a reset signal to IC 110 during the booting sequence.VPP contact 106(e) may be used for programming of EEPROM 212 in IC 110.As may be known in the art, however, this contact may be generally notused since modern ICs typically incorporate a charge pump suitable forEEPROM programming which takes its power from the supply voltage (VCC106(a)). I/O 106(f) may suitably provide a line for serial datacommunication with an external device, and GND 106(d) may be suitablyused to provide a ground reference. Encapsulated integrated circuit 110may be configured to communicate electrically with contacts 106 via anynumber of known packaging techniques, including, for example,thermosonically-bonded gold wires, tape automated bonding (TAB), and thelike.

While an exemplary smartcard is discussed above in the context of aplurality of external contacts, it may be appreciated that contactlesscards may also be utilized to practice this invention. That is,non-contact communication methods may be employed using such techniquesas capacitive coupling, inductive coupling, and the like. As may beknown in the art, capacitive coupling involves incorporating capacitiveplates into the card body such that data transfer with a card reader maybe provided through symmetric pairs of coupled surfaces, whereincapacitance values may be typically 10-50 Pico farads, and the workingrange may be typically less than one millimeter. Inductive coupling mayemploy coupling elements, or conductive loops, disposed in aweakly-coupled transformer configuration employing phase, frequency, oramplitude modulation. In this regard, it may be appreciated that thelocation of communication region 108 disposed on or within card 100 mayvary depending on card configuration. For additional informationregarding non-contact techniques, see, for example, contactless cardstandards ISO/IEC 10536 and ISO/IEC 14443, which are hereby incorporatedby reference.

Smartcard body 102 may be preferably manufactured from a sufficientlyrigid material which may be resistant to various environmental factors,e.g., physical deterioration, thermal extremes, and ESD (electrostaticdischarge). Materials suitable in the context of the present inventionmay include, for example, PVC (polyvinyl chloride), ABS(acrylonitrile-butadiene-styrol), PET (polyethylene terephthalate), orthe like. In an exemplary embodiment, chip card 100 may conform to themechanical requirements set forth in ISO 7810, 7813, and 7816. Body 102may comprise a variety of shapes, for example, the rectangular ID-1,ID-00, or ID-000 dimensions set forth in ISO-7810. In an exemplaryembodiment, body 102 may be roughly the size and shape of a commoncredit card and substantially conforms to the ID-1 specification.

Referring now to FIG. 2, IC 110 preferably may comprise regions forRandom Access Memory (RAM) 216, Read-Only Memory (ROM) 214, CentralProcessing Unit (CPU) 202, data bus 210, Input/Output (I/O) 208 andElectrically-Erasable and Programmable Read Only Memory (EEPROM) 212.

RAM 216 may comprise volatile memory which may be used by the cardprimarily for scratch memory, e.g., to store intermediate calculationresults and data encryption processes. RAM 216 preferably may compriseat least 256 bytes.

EEPROM 212 may provide a non-volatile memory region which may beerasable and rewritable electrically, and which may be used to store,inter alia, user data, system data a smartcard identifier andapplication files. In the context of the present invention, EEPROM 212may be suitably used to store a plurality of files related to cardholderinformation, including general cardholder information, paymentinformation and/or other transaction information. In one exemplaryembodiment in accordance with the present invention, EEPROM 212 may besuitably used to store travel-related information (discussed in greaterdetail below in conjunction with FIG. 3). EEPROM 212 preferably maycomprise at least 8K bytes.

A smartcard identifier, as used herein, may include any account number,Card Production Life Cycle (CPLC) data, and/or identifier for an account(e.g., credit, charge debit, checking, savings, reward, loyalty, travelor the like) which may be maintained by a transaction account provider(e.g., payment authorization center) and which may be used to complete atransaction. The smartcard identifier may include financial transactioninformation, CPLC data, and or other information, such as, for example,a passport number, a driver's license number, a social security number,and/or any other indicator used to facilitate identification, accessand/or any other type of transaction. A typical account number (e.g.,account data) may be correlated to a credit or debit account, loyaltyaccount, travel or rewards account maintained and serviced by suchentities as American Express, Visa and/or MasterCard or the like. Forease in understanding, the present invention may be described withrespect to a credit card account. However, it should be noted that theinvention may be not so limited and other accounts permitting anexchange of goods and services for an account data value may becontemplated to be within the scope of the present invention.

In addition, the account number (e.g., account data) may be associatedwith any device, code, or other identifier/indicia suitably configuredto allow the consumer to interact or communicate with the system, suchas, for example, authorization/access code, personal identificationnumber (PIN), Internet code, digital certificate, biometric data, and/orother identification indicia. The account number may be optionallylocated on a rewards card, charge card, credit card, debit card, prepaidcard, telephone card, smart card, magnetic stripe card, bar code card,and/or the like. The account number may be distributed and stored in anyform of plastic, electronic, magnetic, and/or optical device capable oftransmitting or downloading data to a second device. A customer accountnumber may be, for example, a sixteen-digit credit card number, althougheach credit provider has its own numbering system, such as thefifteen-digit numbering system used by American Express. Each company'scredit card numbers comply with that company's standardized format suchthat the company using a sixteen-digit format will generally use fourspaced sets of numbers, as represented by the number “0000 0000 00000000”. In a typical example, the first five to seven digits are reservedfor processing purposes and identify the issuing bank, card type andetc. In this example, the last sixteenth digit may be used as a sumcheck for the sixteen-digit number. The intermediary eight-to-ten digitsare used to uniquely identify the customer. The account number stored asTrack 1 and Track 2 data as defined in ISO/IEC 7813, and further may bemade unique to smart card 102. Track 1 and Track 2 data may be describedin more detail below.

In an exemplary embodiment, CPU 202 may implement the instruction setstored in ROM 202, handles memory management (i.e., RAM 216 and EEPROM212), and coordinates input/output activities (i.e., I/O 208).

ROM 214 preferably contains, or may be “masked” with, the smart cardoperating system (SCOS). That is, the SCOS may be preferably implementedas hard-wired logic in ROM 214 using standard mask design andsemiconductor processing methods well known in the art (e.g.,photolithography, diffusion, oxidation, ion implantation, etc.).Accordingly, ROM 214 cannot generally be altered after fabrication. Thepurpose of such an implementation may be to take advantage of the fastaccess times provided by masked ROMs. ROM 214 suitably may compriseabout 4K-20K bytes of memory, preferably at least 16K bytes. In thisregard, it may be appreciated that alternate memory devices may be usedin place of ROM 214. Indeed, as semiconductor technology progresses, itmay be advantageous to employ more compact forms of memory, for example,flash-EEPROMs.

The SCOS controls information flow to and from the card, and moreparticularly facilitates storage and retrieval of data stored withinEEPROM 212. As with any operating system, the SCOS may operate accordingto a well-defined command set. In this regard, a variety of known smartcard operating systems may be suitable for the purpose of thisinvention, for example, IBM's Multi-Function Card (MFC) Operating System3.51, the specification of which are hereby incorporated by reference.While the IBM MFC operating system may employ the standard treestructure of files and directories substantially in accordance with ISO7816-4 (as detailed below), it may be appreciated by those skilled inthe art that other operating system models would be equally suitable forimplementation of the present invention. Moreover, it may beadvantageous to allow certain aspects of operating system functionalityto exist outside the card, i.e., in the form of blocks of executablecode which may be downloaded and executed by the smartcard during atransaction (for example, Java applets, ActiveX objects, and the like).

Given the general characteristics of smartcard 100 as outlined above, itmay be apparent that a wide range of microcontrollers and contact-basedsmartcard products known in the art may be used to implement variousembodiments of the present invention. Suitable smartcards may include,for example, the model ST16SF48 card, manufactured by SGS-ThomsonMicroelectronics, which incorporates a Motorola 6805 microcontrollerwith 16K ROM, 8K EEPROM, and 384 bytes of RAM. It may be appreciated,however, that particular embodiments of the present invention mightrequire more advanced microcontrollers with greater EEPROM capacity(i.e., in the range of about 12-16K). Such systems may be well known inthe art.

In accordance with another exemplary embodiment, the smartcardidentifier and/or any other account number or data may be stored inmagnetic stripe format. For example, where the account number may be inmagnetic stripe format, the account number portions are governed by theInternational Standards Organization ISO/IEC 7811, et al. standard,which are hereby incorporated by reference. The standard requires themagnetic stripe information to be encoded in three “tracks” (i.e., track1, track 2, and track 3).

Data stored in track 1 may be typically used to verify the user'sidentity. Track 1 may be reserved for encoding the transaction accountidentifier, the name of the accountholder and at least the expirationdate of the transaction account or the transaction device. Theinformation encoded in track 1 may be alpha-numeric and may be encodedat about 7 Bits/Character. In an exemplary layout of the data stored intrack 1, track 1 may be segmented into several distinct predeterminedportions (e.g., “fields”) for encoding the various account identifyinginformation. The following table may be useful for determining the fielddefinitions of the information provided.

TABLE 1 Table of Field Codes for Track 1 SS = Start Sentinel “%” FC =Format Code PAN = Primary Acct. # (19 digits max) FS = Field Separator“{circumflex over ( )}” Name = 26 alphanumeric characters max.Additional Data = Expiration Date, offset, encrypted PIN, etc. ES = EndSentinel “?” LRC = Longitudinal Redundancy Check

Track 2 may be the track most commonly used by the American BankingAssociation associated banking institutions. Track 2 may be typicallyreserved for a duplicate version of the transaction account identifierand the expiration date of the transaction account or the transactiondevice stored in track 1. In addition, track 2 may include an encryptedPersonal Identification Code, and other discretionary data. However, thedata in track 2 may be encoded at a lower Bit per Character density thanthe data encoded in track 1. The data in track 2 may be numeric only andmay be encoded at about 5 Bits/Character. The lower density ratio intrack 2 may be designed to ensure compatibility with older technologyreaders and to provide redundancy when reading with newer technologyreaders. FIG. 26 illustrates an exemplary layout of the data stored intrack 2, wherein track 2 may be segmented into several distinctpredetermined portions for encoding the various account identifyinginformation. As shown, the following table may be useful for determiningthe definitions of the information provided. Table of Field Codes forTrack 2.

TABLE 2 SS = Start Sentinel “%” SS = Start Sentinel “;” PAN = PrimaryAcct. # (19 digits max) FS = Field Separator “=” Additional Data =Expiration Date, offset, encrypted PIN, etc. ES = End Sentinel “?” LRC =Longitudinal Redundancy Check

Track 3 may be of similar description as Track 2. With the InternationalStandards Organization adoption of standard ISO/IEC 4909, track 3 of themagnetic stripe format was no longer used by the banking industry.However, other transaction devices including a magnetic stripe, such asdrivers licenses, use track 3, which may include both numeric only andalpha numeric characters. Track 3 may be unique in that track 3 wasintended to have data read and WRITTEN on it. Cardholders would haveaccount information UPDATED right on the magnetic stripe. The presentinvention anticipates that a smart card user's travel-relatedinformation profile and/or account information may be updated usingtrack 3. Unfortunately, track 3 may be almost an orphaned standard,since most readers currently in operation are not configured to writedata onto a magnetic stripe. The original design of track 3 was tocontrol off-line ATM transactions by recording transaction data forlater reference by the banking institution. But since ATMs are nowon-line, the usage of track 3 has been drastically reduced.

The most common technique used to encode data in magnetic stripe formatmay be known as Aiken Biphase, or “two-frequency coherent-phaseencoding.” The American National Standards Institute (ANSI) and theInternational Standards Organization (ISO) have chosen two standards toguide the encoding process. The ISO encoding protocol specifies thateach of tracks 1, 2 and 3 must begin and end with a length of all Zerobits, called CLOCKING BITS. These are used to synchronize theself-clocking feature of bi-phase decoding. In addition, mosttransaction devices which use magnetic stripe encoding protocol useeither the ANSI/ISO ALPHA Data format or the ANSI/ISO BCD Data format.For example, track 1 may be typically encoded in ANSI/ISO ALPHA Dataformat which may be a 7 bit, 6 data bits+1 parity bit (odd) format,where the data may be read least significant bit first. The ANSI/ISOALPHA format character set contains 64 characters, 43 alphanumeric, 3framing/field characters and 18 control/special characters. On the otherhand, tracks 2 and 3 are typically encoded in ANSI/ISO BCD Data format,which may be a 5 bit, 4 data bits+1 parity bit(odd) format. Thecharacter set for the ANSI/ISO BCD Data format character set contains 16characters, 10 alphanumeric, 3 framing/field characters and 3control/special characters.

Ordinarily, a proxy account number (e.g., a portion of the transactionaccount number) includes essential identifying information, such as, forexample, any information that may be common to the account provider. Thecommon information (also called “common character,” herein) may includethe account provider routing number, or common source indicator such asthe character spaces reserved to indicate the identification of theissuing bank. Thus, where the proxy transaction account identifiercorresponds to an American Express account, the proxy transactionaccount identifier may include the common character number 3, encodedthe field location where such common character may be ordinarily encodedin traditional magnetic stripe format.

FIG. 27 illustrates the encoding of which would ordinarily be done by anentity, such as, for example, MasterCard in track 2 format. FIG. 12shows the encoding of a Master-Card account number 3111 2222 3333 4444with expiration date 12/99 in traditional track 1 format. SinceMasterCard uses the number 3 to identify its transaction accounts, theproxy account identifier will also use the number 3 so that thereceiving system (e.g., reader 104 or merchant system 130, or accountprovider) further recognizes that the proxy account identifier may befrom a MasterCard transaction device. It should be noted that in thisexample, the “3” and the “101” may be common characters to allMasterCard transaction accounts. For a more detailed explanation ofmagnetic stripe format data exchange, see U.S. patent application Ser.No. 10/810,473 filed on Mar, 26, 2004, entitled SYSTEM AND METHOD FORENCODING INFORMATION IN MAGNETIC STRIPE FORMAT FOR USE IN RADIOFREQUENCY IDENTIFICATION TRANSACTIONS, incorporated herein by reference.

Having thus described an exemplary smartcard 100 and IC 110, an overviewof a smartcard file structure in accordance with the present inventionmay now be described. Referring now to FIG. 4, file structure 400 may bepreferably used to store information related to cardholder preferencesand various data useful for securing and paying for air travel, rentalcars, hotel reservations and the like. More particularly, file structure400 preferably may comprise cardholder ID application 406, paymentsystem application 408, airline application 410, hotel systemapplication 412, rental car application 414, and cardholder verificationdata 404. It may be appreciated by those skilled in the art that theterm “application” in this context refers to self-contained regions ofdata all directed at a particular function (e.g., airline, hotel, etc.)rather than a block of executable software code, although the use ofexecutable modules as part of any particular application falls withinthe scope of the present invention.

Cardholder verification data 404 preferably houses data useful inverifying cardholder identity during a transaction. In an exemplaryembodiment, cardholder verification data 404 may comprise two eight-bytecardholder verification numbers (i.e., PIN numbers) referred to as CHV1and CHV2.

Cardholder ID application 406 suitably may comprise various filesrelated to personal information of the cardholder (e.g., name,addresses, payment cards, driver's license, personal preferences and thelike). Cardholder ID application 406 is described in greater detailbelow in conjunction with FIG. 5.

Payment system application 408 suitably may comprise information usefulin effecting commercial transactions, e.g., account number andexpiration date information traditonally stored on a magnetic-stripecredit card. Alternatively, Payment system application 408 may comprisea full EMV-compliant application suitable for a wide range of financialtransactions. Payment system application 408 is described further belowin conjunction with FIG. 6.

Airline application 410 suitably may comprise data helpful instreamlining commercial airline travel; for example, relevant personalpreferences, electronic tickets, and frequent flier information. Airlineapplication 410 is discussed in greater detail below in conjunction withFIG. 7.

Hotel application 412 suitably may comprise information useful forsecuring and paying for hotel reservations, including an array ofinformation and preferences associated with a list of preferred hotelsas well space for electronic keys. Hotel application 412 is discussed ingreater detail below in conjunction with FIG. 9.

Rental car application 414 suitably may comprise data useful inexpediting the process of car rental and return, including, for example,car preference and frequent rental information. Rental car application414 is described in further detail below in conjunction with FIG. 8.

In each of the above mentioned applications, sophisticated access andencryption schemes may be, in one embodiment, utilized in order to allowmultiple parties to make use of certain file structures while preventingunauthorized entry into others. More specifically, partneringorganizations (e.g., hotel chains, airlines, and rental car agencies)may create their own tailor-made file structures (i.e., “partner filestructures”) within card 100. Details of the various security measuresemployed is described in further detail below in conjunction with Table39.

Referring now to FIG. 10, smartcard 100 may be suitably used in thecontext of a distributed transaction system. Briefly, cardholder's mayemploy smartcard 100 at various access points 15 which may be connectedvia network 19 to an issuer 10 and at least one partnering organization12. Issuer 10 suitably may comprise various hardware and softwarecomponents suitable for client host communications as well as a databasesystem 11. In this context, the term “issuer” refers to the organizationthat actually issues the smartcard and retains some high-level access tocertain areas of file structure 400 (detailed below).

Partnering organizations 12(a), 12(b), and so on, comprise the varioushotel chains, rental-car agencies, airlines, and the like, who haveaccess to appropriate data regions within smartcard 100. Each partneringorganization 12 suitably may comprise a database 13 and appropriatehardware and software components necessary for completing a transactionover network 19. Network 19 may comprise the various components,databases, modules, and apparatus described above connected via asuitable data communication network. Such a network may consist ofvarious physical connections using a variety of conventional dataprotocols, for example, the TCP/IP protocol. It may be appreciated thatthe individual connections between components of the present system maydiffer. For example, network 19 may comprise a wireless PCS network, aInternet TCP/IP connection, a public switched telephone network (PSTN),a digital and analog wireless networks, and the like.

Those skilled in the art may appreciate that a variety of hardwaresystems may be suitable for implementing the present invention. Variousmodems, routers, CPU's, monitors, back-up systems, power-supplies, andperipherals may be employed to realize the benefits of the presentsystem. In one embodiment, for example, a Compaq Prolinea computeroperating in an OS/2 environment using IBM MQ Server software may beused to implement servers used for the present invention. Further aCompaq Prolinea computer operating in a Windows/NT environment running asuitable database software package may facilitate data exchanges inaccordance with the present invention.

Each access point 15 suitably may comprise an appropriate card reader104 for interfacing with smartcard 100 as well as hardware and softwaresuitable for interfacing with a cardholder and performing a transactionover network 19. Smartcard access points 15 allow the cardholder to gainaccess to the distributed transactions system through a variety ofmeans. Such access points may include, for example, standard hometelephones, various PCS wireless systems, pay phones, palmtop computers,notebook computers, Internet workstations, automated teller machines(ATMs), point of sale terminals (POS) stand-alone kiosks, networkcomputers (NCs), personal data assistants (PDAs), or any other suitablyconfigured communication apparatus. Access points 15 may be portable (asin the case of PDAs and cellular phones) or centrally located, forexample, in airline ticketing and gate areas, rental car facilities,hotel lobbies, travel agencies, and malls. In addition, businesses maysee fit to host an access point 15 to streamline their employees”business travel. In an exemplary embodiment, various access points 15may be configured to interface with contact-based smartcards 100 inaccordance with the relevant portions of the ISO-7816 standard.

In an exemplary embodiment of the present invention, data files anddirectories may be stored in a “tree” structure as illustrated in FIG.3. That is, the smartcard file structure may resemble the well knownMS-DOS (Microsoft Disk Operating System) file structure wherein filesmay be logically organized within a hierarchy of directories.Specifically, three types of files may be defined in ISO 7816-4:dedicated files (DF), elementary files (EF), and a master file (MF). Themaster file may be analogous to the MS-DOS “root” directory, andcontains all other files and directories. Dedicated files may beactually directories or “folders” for holding other DFs or EFs. Thus, MF302 may contain an arbitrary number of DFs 306, and these DFs (e.g., DF306(a)) may or may not contain other DFs (e.g., DF 308). Elementaryfiles may be used to store user data, and may exist within a dedicatedfile (e.g., EF 310 within DF 306(a)), or within the master file (e.g.,EF 304 within MF 302). Higher level DFs (i.e., DFs which houseparticular applications) may be often referred to as applicationdedicated files (ADFs).

The MF and each of the DFs and EFs may be assigned a unique two-bytefile identifier (FID). By convention, the MF may be traditionallyassigned an FID of “3F00” hex. Selection of an EF or DF by the operatingsystem may then be performed by tracing its entire path starting at theMF. Thus, if the MF contains a DF with a FID “A100”, and this DF in turncontains an EF with a FID “A101”, then this EF could be referencedabsolutely by successive selection of FIDs 3F00, A100, and A101. It maybe appreciated that the FID may be essentially a file name used by theoperating system to select directories and files; it may be not intendedto indicate a physical address within EEPROM 212. As may be appreciatedby those skilled in the art, lowlevel EEPROM addressing may bepreferably handled by the SCOS in conjunction with CPU 202.

Each file preferably has an associated file header containing variousindicia of the particular EF, DF, or MF. More particularly, the fileheader associated with a particular file preferably may include the fileidentifier (FID), file size, access conditions, and file structure. Inthis regard, smartcard 100 suitably may employ one of four filestructures: transparent, linear fixed, linear variable, or cyclic. Forthe sake completeness, the nature of these file structures may bebriefly reviewed.

A transparent file structure consists of a string of bytes accessed byspecifying an offset and byte count. For example, with reference toTable 1 below, given a n-byte string of data, bytes 7 through 10 wouldbe accessed using an offset of six and a length of four.

TABLE 1 Transparent file structure

A linear fixed file structure may comprise a plurality of records ofequal length (e.g., a list of phone numbers), wherein access to anindividual record may be achieved through reference to a record number.In addition, it may be possible to refer to the “next” or “previous”record relative to the “current” record (i.e., the most recentlyaccessed record). In contrast, a linear variable file structure maycomprise records of arbitrary but known length, and may be thereforetypically more compact than linear fixed data structures.

A cyclic file structure may be a type of linear fixed file wherein apointer may be used to point to the last data set written to. After thelast data record may be written to, the pointer returns to the firstrecord. That is, a cyclic file may comprise a series of records arrangedin a “ring”. A data structure particularly important with regard tostoring records as well as secure messaging in smartcard applicationsmay be the BER tag-length-value or “TLV” structure in accordance withISO/IEC 8825, hereby incorporated by reference. In a TLV object,information regarding the type and length of the information may beincluded along with the actual data. Thus, a TLV object may comprise atag which identifies the type of data (as called out by the appropriatespecification), a length field which indicates the length in bytes ofthe data to follow, and a value field, which may comprise the primarydata. For example, the TLV object illustrated in Table 2 below encodesthe text “phoenix”, which has a length of 7 bytes, and corresponds to athe “city” tag of “8C” hex (a hypothetical tag designation).

TABLE 2 Exemplary primitive TLV object Tag Length Value ‘8C’ ‘07’ p h oe n i x

It may be appreciated that the meaning of the various tag values must beknown to the system a priori. That is, in order for the tag field to beuseful, the smartcard and any external systems communicating with thesmartcard must conform to the same tag specification. In this regard,ISO/IEC 7816-6 defines a series of tags useful in the context of thepresent invention, as does the IBM MFC 3.2 specification. ISO/IEC 8825sets forth the basic encoding rules for a TLV system and defines a“template” data object which may be used as a container for multiple TLVobjects. That is, it may be often advantageous to encapsulate primitiveTLV objects within a larger template which may be itself a TLV object.

Referring now to FIG. 4, an exemplary smartcard data structure inaccordance with the present invention may now be described in detail.Data structure 400 preferably may comprise a MF 402 and five DFs:Cardholder ID application 406, Payment system application 408, Airlineapplication 410, Hotel application 412, and Rental car application 414.

In the detailed description to follow, various acronyms andabbreviations may be used to refer to particular data types, formats,and the like. A key to these acronyms and abbreviations may be presentedin Table 3 below.

TABLE 3 Key to acronyms AN Alphanumeric N Numeric B Boolean C ConventionM Matrix D Data AR Bits array BIN Binary RJ Right-justified LJLeft-justified BCD Binary coded decimal

In the discussion that follows, the various features of an exemplarydata structure may be in some cases described using particular filestructure types (i.e., transparent, fixed, etc.). Those skilled in theart may realize, however, that any of the common smartcard filestructure types may be typically suitable for implementing anyparticular data structure. For example, when a file structure isdescribed as including “a plurality of records,” it may be understoodthat such a structure may be designed, for example, using a list ofrecords assembled in a linear fixed file wherein each record may beitself a transparent file (and offset values correspond to the variousfields). Alternatively, such a structure may be designed using TLVstrings assembled in a linear fixed file or within a larger templateTLV. This may be the case notwithstanding the fact that particular tagvalues which may be for the most part arbitrary may be not explicitlylisted in the tables that follow.

Referring now to FIG. 5, Cardholder ID application 406 may be used tostore various information related to the cardholder. Portions of thisinformation may be freely available to the partnering organizations,thereby preventing the storage of redundant information.

More particularly, cardholder ID application 406 preferably may comprisedirectory EF 532, holder_ID DF 502 and miscellaneous DF 530. Holder_IDDF 502 preferably may comprise ID EF 504, home EF 506, business EF 508,preferences EF 514, passport EF 516, authentication EF 520, biometric EF522, and driver EF 518. Miscellaneous EF 530 preferably may comprisepayment card EF 510, sequence EF 512, issuance EF 511, preferredprograms EF 528, and card number EF 526. These files and theirrespective functions are discussed in detail below.

Directory EF 532 may provide a list of application identifiers andlabels for the various high-level DF's existing under cardholder IDapplication 406. That is, this file serves the function of a high-leveldirectory listing which specifies the location (i.e., FID) andapplication label for each DF in this case, holder_ID DF 502 andmiscellaneous DF 530. In an exemplary embodiment, directory EF 532 maybe structured in accordance with EMV 3.0 as shown in Table 4 below. Inone embodiment, each major application (e.g., hotel, airline, etc.) hasan associated directory file with a substantially same file structure.

TABLE 4 Exemplary cardholder ID directory EF External format Internalformat (bytes) Record description Size Type Size Type Application ID for16 AN 16 ASCII holder_ID DF Application label 16 AN 16 ASCII ApplicationID for 16 AN 16 ASCII miscellaneous DF Application label 16 AN 16 ASCII

ID EF 504 preferably may include personal information related to thecardholder, e.g., name, date of birth, emergency contact, generalpreferences, and the like. In an exemplary embodiment, member EF 504 maycomprise the fields set forth in Table 5 below. Italicized field namesindicate a subcategory within a particular field.

TABLE 5 Exemplary ID EF data structure External format Internal format(bytes) Size Type Size Type Record description Last Name 30 AN 30 ASCIIFirst Name 20 AN 20 ASCII Middle Name 8 AN 8 ASCII Honorary Title 8 AN 8ASCII Name Suffix 4 AN 4 ASCII Date of Birth 8 D 4 BCD Social SecurityNumber 10 AN 10 ASCII Emergency Contact Last Name 20 AN 20 ASCII FirstName 10 AN 10 ASCII Relation 1 C 1 BIN Phone 20 N 10 BCD Gender 1 AN 1ASCII Special Personal Requirements 12 AN 12 M Language Preference (ISO2 C 2 ASCII 639)

In the above table, and the tables to follow, both internal and externaldata formats may be listed. As the conservation of EEPROM space may beof paramount importance, the “internal” format of data (i.e., withinEEPROM 212) may be different from the “external” format of the data(i.e., as read by the card reader at an access point 15). Thus, forexample, a date field may consist of a four-byte BCD record within thecard, but upon reading and processing by the terminal, this data may beconverted to an eight-byte decimal value for more convenient processing.

Home EF 506 preferably may include data related to one or more of thecardholder's home addresses. In an exemplary embodiment, home EF 506comprising the fields set forth in Table 6 below. The personal travelcharge account pointer may be preferably used to designate an exemplarypayment card, and may consists of a number corresponding to one of thepayment card records within payment card EF 510 (detailed below).

TABLE 6 Exemplary home EF file structure External format Internal format(bytes) Record description Size Type Size Type Home Address 1 40 AN 40ASCII Home Address 2 40 AN 40 ASCII Home Address City 25 AN 25 ASCIIHome Address State 5 AN 5 ASCII Home Country (ISO 3166) 2 AN 2 ASCIIHome Address Zip Code 10 AN 10 ASCII Home Address Telephone 20 N 10 BCDHome Address FAX 20 N 10 BCD Home E-mail address 40 AN 40 ASCII Personaltravel charge account 2 N 1 BCD number pointer

Business EF 508 preferably may include various data related to thecardholder's business (i.e., addresses, phone numbers, and the like). Inan exemplary embodiment, business EF 508 comprising the fields set forthin Table 7 below. In this regard, the credit card pointer field may bepreferably used to point to a payment card record within payment card EF510 (detailed below). The cost center, dept., division, and employee IDfields may be employer-specific, and may or may not apply in a givencase.

TABLE 7 Exemplary business EF file structure External format Internalformat (bytes) Record description Size Type Size Type Business Address 140 AN 40 ACSII Business Address 2 40 AN 40 ASCII Business Address City25 AN 25 ASCII Business Address State 5 AN 5 ASCII Business Country (ISO2 AN 2 ASCII 3166) Business Address Zip Code 10 AN 10 ASCII BusinessTelephone No. 20 N 10 BCD Business Address Fax 20 N 10 BCD BusinessE-mail Address 40 AN 40 ASCII Professional Title 10 AN 10 ASCII EmployeeID 10 AN 10 ASCII Division 20 AN 20 ASCII Dept 20 AN 20 ASCII CostCenter 12 AN 12 ASCII Professional travel account 2 N 2 BCD numberpointer Professional license data 20 AN 20 ASCII Credit Card pointer 2 N1 BCD Company Name 20 AN 20 ASCII

Preferences EF 514 preferably may comprise data related to thecardholder's default personal preferences. In an exemplary embodiment,preferences EF 514 may include a field comprising an array ofpreferences as set forth in Table 8 below. Preference values may bepreferably chosen from a list of preference tags as set forth in Table39.

TABLE 8 Exemplary preferences EF file structure External format Internalformat (bytes) Record description Size Type Size Type Preferences Array20 C 20 C

Passport EF 516 may be preferably used to store cardholder passportinformation. In an exemplary embodiment, passport EF 516 may comprisethe fields set forth in Table 9 below.

TABLE 9 Exemplary passport EF file structure External format Internalformat (bytes) Record description Size Type Size Type Passport Number 20AN 20 ASCII Passport Country - ISO 3166 2 AN 2 ASCII Issuance Date 8 D 4BCD City of Issuance 20 AN 20 AN Expiration Date 8 D 4 BCD Restrictions(glasses, disability, 20 AN 20 ASCII etc.)

Driver EF 516 preferably may comprise cardholder driver license data. Inan exemplary embodiment, driver EF 518 comprising the fields set forthin Table 10 below.

TABLE 10 Exemplary driver EF file structure External format Internalformat (bytes) Record description Size Type Size Type Driver's LicenseNo. 20 a 20 ASCII Driver's License Issuing 2 a 2 BCD State/CountryLicense Expiration Date 8 D 4 ASCII License Type 2 C 4 BCD

Biometric EF 522 may be used to store biometric data (preferablyencoded) such as fingerprint data, retina scan data, or any othersufficiently unique indicia the cardholder's physical or behavioralcharacteristics. Information related to biometric data stored onbiometric EF 522 is discussed in further detail below. In an exemplaryembodiment, biometric EF 522 may comprise a single data string as setforth in Table 11 below.

TABLE 11 Exemplary biometric EF file structure External format Internalformat (bytes) Record description Size Type Size Type Biometricstemplate 100 AN 100 BIN

Authentication EF 520 preferably may comprise information for staticauthentication of the cardholder ID 406 application. This data may beunique for each card, and may be sufficiently complex such thatcounterfeit values cannot feasibly be created. This prevents creation of“new” counterfeit cards (i.e., cards with new authentication data), butdoes not prevent creation of multiple copies of the current card.

In an exemplary embodiment, authentication EF 520 may include public keycertificate fields as shown in Table 12 below, wherein the externalformat may be identical to the internal format. Preferably, the issuerRSA key may be 640 bits long, and the CA key may be 768 bits long.

TABLE 12 Exemplary authentication EF Internal format (bytes) Recorddescription Size Type Signed Static Application Data 80 B Static DataAuthentication Tag List 16 B Issuer Public Key Certificate 96 B IssuerPublic Key Exponent 1 B Issuer Public Key Remainder 20 B

Turning now to files under miscellaneous DF 530, preferred programs EF528 preferably may comprise data related to the cardholder's preferencesas to airline companies, hotels, and rental car agencies. Specifically,this EF, in an exemplary embodiment, may comprise a plurality of records(e.g., three) indicating preferred companies for each type of travelpartner as shown in Table 13. The actual data values conform to anarbitrary convention; That is, each airline, hotel, and rental caragency may be assigned an arbitrary three-byte code.

TABLE 13 Exemplary programs EF External format Internal format (bytes)Record description Size Type Size Type Preferred Airlines 9 (3 × 3) C 9C Preferred Hotels 9 C 9 C Preferred Rental Cars 9 C 9 C

Payment card EF 510 may be preferably used to catalog informationrelated to the cardholder's various payment cards, i.e., debit cards,charge cards, and the like. In an exemplary embodiment, payment card EFmay comprise card numbers and expiration dates for two cards as shown inTable 14. The “ISO” and “non-ISO” designations refer to ISO-7813, whichspecifies a particular payment card number format. Thus, in an exemplaryembodiment, either an ISO or non-ISO card number scheme may be used.Moreover, it may be appreciated that this data set may be sufficientonly for “card not present” transactions, for example, transactionstaking place remotely where only the card number and expiration date maybe required to effect a transaction. Data stored within payment systemapplication 408 (described below) must be used to effect a “cardpresent” transaction.

TABLE 14 Exemplary payment card EF file structure External formatInternal format (bytes) Record description Size Type Size Type FirstPayment Card # (ISO) 19 N 10 BCD First Payment Card Expiration 8 D 4 BCDDate Second Payment Card # (non- 20 AN 20 ASCII ISO) Second Payment Card8 D 4 BCD Expiration Date

Sequence EF 512 preferably may include information used to providesynchronization of the host and smartcard databases. In an exemplaryembodiment, sequence EF 512 may comprise a plurality of recordscomprising the field set forth in Table 15 below. This number may beanalogous to a “version” number for the data stored in the application.

TABLE 15 Exemplary sequence EF file structure External format Internalformat (bytes) Record description Size Type Size Type Sequence Number 16AN 16 ASCII

Card number EF 526 may be used to record a unique number identifying thesmartcard, and may also be used for key derivation (as described infurther detail below). Preferably, card number EF 526 may comprise aeight-byte string as set forth in Table 16 below.

TABLE 16 Exemplary card number EF External format Internal format(bytes) Record description Size Type Size Type Card Number 8 HEX 8 HEX

Issuance EF 511 may be used to record various details related to themanner in which the application (i.e., cardholder ID DF 406) wascreated. This file may include information related to the identity ofthe organization that created the application, as well as informationrelated to the application itself. In an exemplary embodiment, issuanceEF 511 may comprise fields as set forth in Table 17 below.

TABLE 17 Exemplary issuance EF file structure External format Internalformat (bytes) Field Size Type Size Type Country Authority ISO 3166 2Issuer Authority 10 RID - 5 HEX ISO 7816-5 Application version 5 XX.YY 2BCD Application expiration 8 YYYYMM 4 BCD date DD Application effective8 YYYYMM 4 BCD date DD Personalizer Code 1 AN 1 ASCII PersonalizationLocation 1 AN 1 ASCII

The personalizer code field shown in Table 17 refers to the organizationthat actually “personalizes” the file. That is, before a smartcard maybe issued to the cardholder, the database structure must be createdwithin EEPROM 212 (FIG. 2), and the initial data values (i.e., defaultpreferences, cardholder name, pin numbers, etc.) must be placed in theappropriate fields within the various EFs. It may be appreciated that,given the nature of the present invention, the smartcard “issuer” and“personalizer” for any given application may not be the same. Therefore,it may be advantageous to record various details of the personalizationprocess within smartcard 100 itself. Similar issuance file structuresmay be provided for the other major applications. A method and systemfor personalization are described in greater detail herein.

Referring now to FIG. 6, payment system application 408 preferably maycomprise a directory EF 610, issuer DF 602, and a number of optional DFs603(a)-(n) for use by partnering financial organizations.

Directory EF 610 preferably may include a list of applicationidentifiers and labels as described above in the context of cardholderID application 406.

Issuer DF 602 may comprise pay1 DF 604, which may include data thatwould traditionally be stored within a track on a magnetic stripe card(i.e., debit cards, charge cards, and the like). Track 1 and Track 2storage is described in greater detail above.

In an exemplary embodiment, pay1 DF 604 may comprise a plurality ofrecords having commonly known magnetic-stripe fields as specified inTable 18 below.

TABLE 18 Exemplary Pay1 EF file structure Internal External formatformat (bytes) Record description Size Type Size Type Format Code(Track 1) 1 AN 1 ASCII PAN (Track 2) 15 N 8 BCDF right paddingExpiration date (Track 1 or 2) 4 YYMM 2 BCD Effective date (Track 1 or2) 4 YYMM 2 BCD Discretionary data (Track 1 or 2) 5 N 3 BCDF rightpadding Name (Track 1) 26 AN 26 ASCII, LJ blank padding

Referring now to FIG. 7, airline application 410 preferably may comprisedirectory EF 730, common DF 702, and issuer DF 704, and additionalairline applications 703(a), 703(b), and so on.

Directory EF 730 preferably may include a list of applicationidentifiers and labels as described above in the context of cardholderID application 406.

Common DF 702 generally may include data accessible to all participatingairlines, while issuer DF 704 generally may include data which may onlybe read or written to by the smartcard issuer. Airline application 410preferably further may comprise at least one (preferably three)additional DF 703 for use by airline partnering organizations.

That is, one airline partner may have access to and specify thestructure of data stored within DF 703(a) (as well as common EF 702),while another airline may have similar access to DF 703(b). Thesepartner DFs preferably conform to the relevant portions of the IATAspecification.

Common DF 702 suitably may comprise common data which would be of use toany of the various partnering airlines, i.e., passenger EF 706, frequentflier EF 708, IET EF 710, boarding EF 712, and biometric EF 714.

Issuer DF 704, in contrast, may comprise information readable by all,but updateable only by the card issuer, i.e., preferences EF 716, PIN EF718, and issuance EF 720.

Referring now to information stored within common EF 702, passenger EF706 preferably may comprise various records related to the passenger asspecified in Table 19 below.

TABLE 19 Exemplary passenger EF file structure External format Internalformat (bytes) Record description Size Type Size Type Passenger Name 49AN 49 ASCII Gender 1 A 1 BIN Language Preference 2 AN 2 ASCII Unique ID24 AN 24 ASCII Airline ID (3 letters code) 3 AN 3 ASCII Type code (2letters) 2 AN 2 ASCII Unique ID 19 AN 19 ASCII Application version 2 N 2BIN

In an exemplary embodiment, frequent flyer EF 708 may comprise aplurality of frequent flier numbers (e.g., ten numbers) having thestructure specified in Table 20 below.

TABLE 20 Exemplary frequent flyer EF file structure External formatInternal format (bytes) Record description Size Type Size Type AirlineCustomer ID 22 AN 22 ASCII

IET EF 710 preferably may comprise a plurality of electronic ticketrecords as set forth in Table 21 below. The format of these electronictickets preferably conforms to the IATA standard.

TABLE 21 Exemplary IET file structure Description External of the formatInternal format (bytes) Records Size Type Size Type IET 1 14 AN 14 BINIET 2 14 AN 14 BIN IET 3 14 AN 14 BIN IET 4 14 AN 14 BIN IET 5 14 AN 14BIN

In an exemplary embodiment, boarding EF 712 may comprise boarding datato be used during check in as specified in Table 22. The format of thisdata preferably conforms to the IATA specification.

TABLE 22 Exemplary boarding EF file structure External format Internalformat (bytes) Record description Size Type Size Type Boarding data 40AN 40 ASCII

Biometric EF 714 may be suitably used to store biometric data associatedwith the cardholder, e.g., retina scan data, fingerprint data, or anyother sufficiently unique indicia of the cardholder's physical orbehavioral characteristics. Information related to biometric data storedon biometric EF 522 is discussed in further detail below. In anexemplary embodiment, biometric EF 714 may comprise data as specified inTable 23 below.

TABLE 23 Exemplary biometric EF file structure External format Internalformat (bytes) Record description Size Type Size Type Biometrics data100 AN 100 BIN

Issuance EF 720 may be suitably used to hold data related to theissuance of the various applications. In an exemplary embodiment,issuance EF 720 may comprise a data structure as specified in Table 24below.

TABLE 24 Exemplary issuance EF file structure Internal External formatformat (bytes) Field Size Type Size Type Country Authority (2 ISO 3166 2letters) Issuer Authority 10 RID - ISO 5 HEX 7816-5 Application version5 XX.YY 2 BCD Application expiration 8 YYYYMM 4 BCD date DD Applicationeffective 8 YYYYMM 4 BCD date DD Personalizer Code 1 AN 1 ASCIIPersonalization Location 1 AN 1 ASCII (custom code)

PIN EF 718 may be suitably used to store PIN values corresponding toeach of the participating airline partners. In an exemplary embodiment,PIN EF 718 may comprise a plurality of records having the structurespecified in Table 25 below, wherein each record may be related to thecorresponding entry in frequent flyer EF 708 (i.e., record one in EF 718corresponds to record one in EF 708, and so on.)

TABLE 25 Exemplary PIN EF file structure External format Internal format(bytes) Record description Size Type Size Type PIN 8 AN 8 BIN Expirationdate 8 D 4 BCD

Preferences EF 716, in an exemplary embodiment, may comprise apreferences array as shown in Table 26 below.

The preference values stored in this file correspond to those discussedbelow in conjunction with Table 38.

TABLE 26 Exemplary preferences EF 716 file structure External formatInternal format (bytes) Record description Size Type Size TypePreferences Array 8 C 8 BIN

Referring now to FIG. 8, rental car application 414 preferably maycomprise common DF 802, directory EF 820, and one or more rental_car DFs803 (i.e., 803(a), 803(b), and so on) corresponding to individual rentalcar agencies.

Common DF may comprise preferences EF 805, which is described in detailbelow. Rental_car DFs 803 each comprise a rental_car_id EF 807,reservation EF 809, and expenses EF 811.

Directory EF 820 may include a list of application identifiers andlabels for the various DFs under rental_car application 414. Thestructure of this EF preferably conforms to that described above in thecontext of cardholder ID application 406.

In an exemplary embodiment, preferences EF 805 may comprise a set ofpreferences arrays file structure as shown in Table 27 below. Anexemplary list of preference codes for use in each of these arrays aredescribed below in conjunction with Table 38.

TABLE 27 Exemplary preferences EF External Internal Record descriptionformat format (bytes) Preferences Array 8 C 8 BIN (Default) PreferencesArray (No. 2) 8 C 8 BIN Preferences Array (No. 3) 8 C 8 BIN Preferredlimousine 12 AN 12 ASCII company

Rental_car_id 807 may be used to store frequent rental information,upgrade information, insurance information, and the like. In anexemplary embodiment, rental_car_id 807 may comprise a file structure asshown in Table 28 below.

TABLE 28 Exemplary rental_car_id EF Internal format Record descriptionExternal format (bytes) Frequent Rental ID# 22 A 22 ASCII Company name 3A 3 ASCII Unique Customer ID 19 A 19 ASCII CDP (Contract Disc. Program)10 A 10 ASCII Accumulated points 8 N 3 BIN Rental features AR 2 BIN CarType Upgrade B 1 bit B Week-end/Vacation Special B 1 bit B GuaranteedLate Reservation B 1 bit B Insurance Array 2 BIN Loss Damage Waiver(LDW) B 1 bit B Personal Automobile B 1 bit B Insurance Personal EffectsCoverage B 1 bit B Personal Insurance B 1 bit B Corporate Insurance B 1bit B

Reservation EF 809 may be used to store confirmation numberscorresponding to one or more rental car reservations. In an exemplaryembodiment, reservation EF 809 may comprise a plurality of records(e.g., two) having a file structure as shown in Table 29 below.

TABLE 29 Exemplary reservation EF Internal Record description Externalformat format(bytes) Rental Car Company 3 A 3 ASCII Location 3 A 3 ASCIIDate 8 D 4 BCD Time 4 T 2 BCD Reservation Number 15 A 15 ASCII FlightNumber 5 M 5 BIN Airlines 3 AN 3 ASCII(RJ) Flight number 4 N 2 BCDPreferred profile 1 C 1 ASCII

Expenses EF 811 may be used to record expenses incurred by thecardholder during car rental (e.g., the total rental charge). In anexemplary embodiment, expenses EF 811 may comprise a plurality ofrecords (e.g., five) having a file structure as shown in Table 30 below.

TABLE 30 Exemplary expenses EF Record External Internal descriptionformat format (bytes) Type of expense 1 C 1 ASCII Date 8 D 4 BCDLocation code 3 AN 3 ASCII Amount 7 N 3 BIN

Referring now to FIG. 9, hotel system application 412 preferably maycomprise directory EF 920, common DF 914, one or more hotel chain DFs902, and one or more property DFs 903.

Common DF 914 may comprise reservation EF 918, expenses EF 916,key-of-the-room EF 910, and preferences EF 912.

Hotel chain EFs 902(a), 902(b), and so on, comprise preferences EF 904and stayer ID EF 906 associated with individual hotel chains. Incontrast, property EFs 903(a), 903(b), and so on, comprise a similarfile structure associated with individual hotel properties (i.e.,independent of whether the particular hotel may be a member of anationwide chain).

In an exemplary embodiment, reservation EF 918 may comprise a pluralityof records having the structure shown in Table 31 below. In general,this EF may be used to store confirmation numbers transmitted tosmartcard 100 when the cardholder makes a reservation at a given hotel(designated in the property code field). The date field stores the dateon which the confirmation number was dispensed.

TABLE 31 Exemplary reservation EF External format Internal format(bytes) Record description Size Type Size Type Property Code 3 AN 3ASCII Date 8 D 4 BCD Confirmation Number 15 AN 15 ASCII

Preferences EF 912 preferably may comprise three sets of arraypreferences. The particular codes used in these arrays are discussedbelow in conjunction with Table 38.

TABLE 32 Exemplary preferences EF External format Internal format(bytes) Record description Size Type Size Type Preferences Array 8 C 8BIN (default) Preferences Array 8 C 8 BIN (number 2) Preferences Array 8C 8 BIN (number 3)

Expenses EF 916 preferably may comprise a list of recent hotel expenses,for example, room costs, dinner expenses, and the like. In an exemplaryembodiment, expenses EF 916 may comprise a plurality of records (forexample, fifteen) arranged in a cyclic file structure and comprising thefields shown in Table 33 below. Thus, the cardholder may be able toexamine and print a list of recently incurred expenses by type (a codefixed by convention), date, amount, and property code.

TABLE 33 Exemplary expenses EF External format Internal format (bytes)Record description Size Type Size Type Type 1 C 1 ASCII Date 8 D 4 BCDProperty Code 3 AN 3 ASCII Amount 7 N 3 BIN

Key-of-the-room EF 910 preferably may comprise electronic key valuesthat may be used in conjunction with card readers to provide access toparticular hotel rooms. In an exemplary embodiment, key-of-the-room EF910 may comprise a plurality of alphanumeric key values as shown inTable 34 below.

TABLE 34 Exemplary key-of-the-room EF External format Internal format(bytes) Record description Size Type Size Type Key value 40 AN 40 BIN

Stayer ID EF 906 preferably may comprise frequent stayer data for aparticular hotel chain. In an exemplary embodiment, Stayer ID EF 906 maycomprise frequent stayer information as shown in Table 35 below.

TABLE 35 Exemplary stayer ID EF External Internal format format (bytes)Record description Size Type Size Type Frequent stayer number 19 AN 19ASCII Frequent Stayer Level 1 AN 1 ASCII Code Frequent Stayer Level 6YYYYMM 3 BCD Expiration Date CDP 10 AN 10 ASCII Event Counter 3 N 1 BINHotel Frequent Stayer PIN 8 AN 8 BIN

Preferences EF 904 preferably may comprise three sets of arraypreferences as shown in Table 36. The particular codes used in thesearrays are discussed below in conjunction with Table 38.

TABLE 36 Exemplary preferences EF External Internal format format(bytes) Record description Size Type Size Type Preferences Array(default) 8 C 8 BIN Preferences Array (number 8 C 8 BIN 2) PreferencesArray (number 8 C 8 BIN 3)

Property DFs 903(a), 903(b), etc., may be used in cases where thepartnering hotel may be not part of a major chain, or when the hotelchooses to employ its own data set independent of its affiliation. Inone embodiment, these property DFs may be identical in structure tohotel chain DFs 902, except that much of the frequent stayer IDinformation may be removed. More specifically, a typical property DF 903may comprise a preferences EF 938 identical to preferences 904 describedabove, along with a stayer ID EF 934 which may include only the CDP,event counter, and hotel frequent stayer PIN fields described inconjunction with Table 33 above. Alternatively, a particular hotel chainor property may choose to implement a different file structure than thatdescribed above.

As mentioned briefly above, an exemplary embodiment may be configuredsuch that preferences may be located in several files distributedthroughout smartcard 100; i.e., in preferences EF 514, airlinepreferences EF 716, hotel preferences EF 912 and 904, and carpreferences EF 810. This allows apparently conflicting preferences tocoexist within the card depending on context. For example, it may bepossible to opt for non-smoking in the cardholder ID application whilechoosing the smoking option within the hotel application. In the case ofconflict, preferences may be read from the top level to the bottomlevel, and each level supersedes the previous one.

An exemplary set of codification rules may be set forth in Table 37below:

TABLE 37 Exemplary Preferences Code Ranges  0-49 General purpose(Cardholder ID 406) 50-99 Hotel application 412 100-149 Rental carapplication 414 150-199 Airline application 410 200-255 Other

More specifically, in an exemplary embodiment, preference flags may becoded as set forth in Table 38 below.

TABLE 38 Exemplary preference codes Preference Code (decimal) GENERALPURPOSE Smoking 00 Non-smoking 01 Home as preferred address 02 Work aspreferred address 03 Handicapped 04 Home as preferred e-mail address 05Work as preferred e-mail address 06 HOTEL PREFERENCES King-size bed 50Queen-size bed 51 Double bed 52 High floor room 53 Low floor room 54Near elevator room 55 Away from elevator room 56 RENTAL CAR PREFERENCESCompact car 100 Standard car 101 Mid-size car 102 Luxury car 103 AIRLINEPREFERENCES Window seat preferred 150 Aisle seat preferred 151 Lowcalorie 152 Vegetarian 153 Diabetic 154 Low sodium 155 Kosher 156

In the context of smartcard transactions, data security has five primarydimensions: 1) data confidentiality, 2) data integrity, 3) accesscontrol, 4) authentication, and 5) non-repudiation. Each of thesedimensions may be addressed through a variety of security mechanisms.Data confidentiality, which deals with keeping information secret (i.e.,unreadable to those without access to a key), may be substantiallyensured using encryption technology. Data integrity (and data sourceverification) focuses on ensuring that data remains unchanged duringtransfer, and typically may employ message authentication techniques.Access control involves card holder verification and other requirementsnecessary in order for a party to read or update a particular file.Authentication involves ensuring that the card and/or the externaldevice may be what it purports to be, and non-repudiation deals with therelated task of ensuring that the source of the data or message may beauthentic, i.e., that a consumer may not repudiate a transaction byclaiming that it was “signed” by an unauthorized party. Cardholderverification using a biometric security system is described in greaterdetail below.

Authentication may be preferably performed using a “challenge/response”algorithm. In general, authentication through a challenge/responsesystem involves: 1) generation of a random number by a first party; 2)transmission of the random number to a second party (the “challenge”, 3)encryption of the random number by the second party in accordance with akey known to both parties, 4) transmission of the encrypted randomnumber to the first party (the “response”), 5) encryption of the randomnumber by the first party, and 6) comparison by the first party of thetwo resulting numbers. In the case where the two numbers match,authentication may be successful; if not, the authentication may beunsuccessful. Note that authentication may work both ways: the externalworld may request authentication of a smartcard (internalauthentication), and a smartcard may request authentication of theexternal world (external authentication) a more detailed account of anexemplary challenge/response algorithm may be found in the IBM MFCspecification.

In an exemplary embodiment, the DES algorithm (Data Encryption Standard)may be employed for the various security functions; however, it may beappreciated that any number of other symmetrical or asymmetricaltechniques may be used in the context of the present invention. Moreparticularly, there may be two general categories of encryptionalgorithms: symmetric and asymmetric. Symmetric algorithms use the samekey for encryption and decryption, for example, DEA (data encryptionalgorithm) which uses a 56-bit key to encrypt 64-bit blocks of data.Asymmetric algorithms, in contrast, use two different keys: one secretkey and one public key. The RSA algorithm, for example, uses two suchkeys and exploits the computational complexity of factoring very largeprime numbers. Additional information these and other cryptographicprinciples may be found in a number of standard texts, for example:Seberry & Pieprzyk, “Cryptography: An Introduction to Computer Security”(1989); Rhee, “Cryptogtography and Secure Communications” (1994);Stinson, “Cryptography: Theory and Practice” (1995); “ContemporaryCryptography: The Science of Information Integrity” (1992); andSchneier, “Applied Cryptography” (2d ed. 1996), the contents of whichare hereby incorporated by reference.

Access control may be suitably provided by including access conditionswithin the header of each EF and DF. This prevents a particularoperation (e.g., reading or updating) from being performed on a fileunless the required access conditions have been fulfilled. Manydifferent access conditions may be appropriate in a smart card context.For example, the smartcard may require cardholder verification (i.e.,request that the cardholder enter a PIN) before a file operation may beallowed. Similarly, internal and/or external authentication as describedabove may be required.

Another important access condition (referred to herein as the SIGNcondition) corresponds to the case where a particular file may be“protected” and where updating of a record requires “signing” of thedata using a message authentication code (MAC). A MAC may be thought ofas a form of electronic seal used to authenticate the content of themessage. In a paradigmatic signing procedure, a shortened, encryptedrepresentation of the message (the MAC) may be created using a messageauthentication algorithm (MAA) in conjunction with a key known to boththe card and external device. The MAC may be then appended onto themessage and sent to the card (or external device, depending on context),and the card itself generates a MAC based on the received message andthe known key. The card then compares the received MAC with the its owninternally-generated MAC. If either the message or MAC was alteredduring transmission, or the sending party did not use the correct key,then the two MACs may not match, and the access condition may not befulfilled. If the two MACs correspond, then the access condition may befulfilled, and the particular file operation may proceed.

A MAC may be generated using a variety of MAAs, for example, the ANSIX9.9 method using an eight-byte key, or the ANSI X9.19 method using asixteen-byte key. Furthermore, the actual key may be “diversified”through encryption with a random number or other appropriate value.These and other details regarding MAC generation may be found in thereferences cited above as well as the IBM MFC specification.

Two other important access conditions may be the NEVER and FREEconditions. The NEVER condition corresponds to the case where a certainfile operation (typically updating) may be never allowed. The FREEcondition, on the other hand, corresponds to the case where eitherupdating or reading a file record may be always allowed, without anyadditional preconditions for access.

In contrast to the MAC techniques discussed briefly above,non-repudiation may be necessarily performed using asymmetricaltechniques. That is, as symmetrical techniques such as MAC “sealing” usea key known to more than one party, such techniques may not be used by athird-party to ascertain whether the source of the message may becorrect. Thus, non-repudiation typically may employ a public keyencryption scheme (e.g., the Zimmerman's PGP system), wherein the senderuses a secret key to “sign” the message, and the receiving party usesthe corresponding public key to authenticate the signature. In thecontext of the present invention, this function may be suitablyperformed by allocating an EF for public and secret key rings, which maybe well known in the art, along with suitable encryption softwareresident in the card for assembling the signed message.

Having thus given a brief overview of typical smartcard securityprocedures, an exemplary set of access conditions may be set forth belowin Table 39. In this regard, the various access conditions for each EFmay be tabulated with regard to whether the file may be being read orupdated. In each case, the access condition (FREE, SIGN, etc.), key“owner” (issuer, partner, user, etc.), and key name may be listed. Inthis regard, it may be appreciated that the key name may be arbitrary,and may be listed here for the sake of completeness.

TABLE 39 Exemplary access conditions READING UPDATING Access Accesscondition Owner Key condition Owner Key MF DF Cardholder ID 406 DFHolder_ID 502 EF ID 504 FREE SIGN ISSUER KEY1 EF Home 506 FREE SIGNISSUER KEY1 EF Business 508 FREE SIGN ISSUER KEY1 EF Preferences FREESIGN ISSUER KEY1 514 EF Passport 516 FREE SIGN ISSUER KEY1 EF BiometricsFREE SIGN ISSUER KEY1 522 EF Driver 518 FREE SIGN ISSUER KEY1 DFMiscellaneous EF Payment card FREE SIGN ISSUER KEY1 510 EF Sequence 512FREE FREE EF Card Number FREE SIGN ISSUER KEY1 526 DF Payment System 408DF Issuer 602 EF Pay1 604 FREE FREE DF Airline 410 DF Common 702 EFPassenger FREE SIGN ISSUER KEY2 706 EF Frequent flier FREE SIGN ISSUERKEY2 708 EF IET 710 FREE FREE EF Boarding 712 FREE FREE EF BiometricFREE FREE 714 DF Issuer 704 EF Preferences FREE SIGN ISSUER KEY2 716 EFPIN 718 FREE SIGN ISSUER KEY2 EF Issuance 720 FREE SIGN ISSUER KEY2 DFRental car 414 DF Common 802 EF Preferences FREE USER IDENT PIN 805 DFRental_car 803 EF FREE SIGN RENTCAR KEY6 Rental_car_ID 807 EFReservation FREE FREE 809 EF Expenses 811 FREE SIGN RENTCAR KEY6(append) (append) (append) IDENT USER PIN (erase) (erase) (erase) DFHotel system 412 DF Common 914 EF Reservation FREE FREE 918 EF Expenses916 FREE FREE USER PIN (append) (erase) (erase) IDENT (erase) EFKey-of-the- FREE FREE room 910 EF Preferences FREE SIGN ISSUER KEY1 912DF Hotel_chain 902 EF Preferences FREE SIGN ISSUER KEY1 904 EF Stayer ID906 FREE SIGN HOTEL KEY5

Having thus given a detailed description of an exemplary smartcard 100and an exemplary data structure 400, the various details related totransactions involving smartcard 100 may now be described. In general, atypical smartcard session involves: (1) activation of the contacts (orcomparable non-contact means); (2) card reset; (3) Answer to reset (ATR)by card; (4) Information exchange between card and host; and, at theconclusion of a session, (5) deactivation of contacts.

First, card 100 may communicate with a card reader provided at an accesspoint 15, and suitable connections may be made between communicationregion 108 on card 100 and the card reader. By “may communicate,” a usermay swipe card 100, insert card 100 into access point 15 and/or a readerassociated with access point 15, and interact with access point 15 viacommunication region 108 by any suitable communication channels, suchas, for example, a telephone network, an extranet, an intranet,Internet, point of interaction device, online communications, off-linecommunications, wireless communications, transponder communications,local area network (LAN), wide area network (WAN), networked or linkeddevices and/or the like. Communication may entail the use of one or morebiometric security systems described in greater detail herein.

In an exemplary embodiment, physical contacts (contacts 106 in FIG. 1)may be used, and DATA, CLOCK, RESET, VDD, and GND connections may bemade. These contacts may be electrically activated in a particularsequence, preferably in accordance with ISO 7816-3 (RST to low state,VDD powered, DATA to reception mode, then CLK applied).

The card reader then initiates a reset (i.e., RST to high state), andthe card returns an answer to reset string (ATR) on the DATA line,preferably in conformance with the content and timing details specifiedin the appropriate parts of ISO 7816. In an exemplary embodiment, theinterface characters may be chosen to reflect a T=1 protocol(asynchronous, half-duplex, block-oriented mode). Further in accordancewith ISO-7816-3, after the card sends an ATR string and the properprotocol may be selected (in an exemplary embodiment, the T=1 mode),host 314 and card 100 begin the exchange of commands and responses thatcomprise a particular transaction. The nature of these commands isdiscussed in further detail below.

At the end of a smartcard session, contacts 106 may be deactivated.Deactivation of contacts 106 may be preferably performed in the orderspecified in ISO 7816-3 (i.e., RST to low state, CLK to low state, DATAto low state, VDD to inactive state). As mentioned above, the VPPcontact may be not utilized in an exemplary embodiment.

In the context of the present invention, command classes andinstructions may be provided for 1) working with application data (i.e.,files stored within the various applications), 2) ensuring datasecurity, 3) card management, and 4) performing miscellaneous functions.

Application data commands may be suitably directed at selecting,reading, and updating individual records or groups of records withinfiles. Security commands may suitably include commands for performingthe challenge/response authentication process, generating randomnumbers, loading or updating cryptographic keys, and changing andverifying the card-holder verification codes (CHV1 and CHV2). Cardmanagement commands may suitably include commands which allow for thecreation and deletion of directories (DFs) and elementary files (EFs).Miscellaneous commands may be suitably provided for modifying the baudrate and reading various card statistics (e.g., data logged duringproduction of the card.) It may be appreciated that many differentcommand sets could be designed for implementing these basic functions.One such command set may be provided by the IBM Multifunction CardOperating System 3.51, hereby incorporated by reference.

Referring again to FIG. 10, access point 15 preferably may comprisesoftware which may provide a user interface (for example, a graphicaluser interface) and may be capable of executing the appropriate SCOScommands in accordance with the particular transaction being effected.For example, consider the case where a cardholder wishes to add apreference in car preferences EF 810 within rental car application 414(shown in FIG. 8). In this instance, a cardholder would locate aconvenient access point 15 (for example, a stand-alone kiosk in a mall)and insert card 100 in a provided card reader in order to initiate atransaction. After suitable handshaking between card 100 and the cardreader has taken place, and after the cardholder has been properlyauthenticated (i.e., the correct access conditions for updating carpreferences EF 810 have been fulfilled), the application program ataccess point 15 queries the user with a choice of preference codes (forexample, those listed in Table 39 above). The user then indicates achoice through textual or graphical means, and the appropriate value maybe sent to card 100 by the application program as part of a commandstring. This value may then be sent to the appropriate partneringorganization 12 (i.e., a rental car partner) and issuer 10 over network19 to be stored in their respective databases 13 and 11. Alternatively,this data may be sent later as part of a card/database synchronizationprocedure, e.g., when the original transaction proceeds off-line.

Consider, as another example, the typical hotel transaction. As detailedabove, the cardholder inserts card 100 into a card reader deployed at asuitable access point 15. After appropriate initialization procedurestake place, the cardholder may be presented, through the use of agraphical user interface, the option to make a hotel reservation. Uponchoosing this option, the software may interrogate the hotel preferencesfield in exemplary programs EF 524 in cardholder ID application 406 anddisplay these hotels first within the list of possible choices.

After the cardholder selects a specific hotel property, the softwarecontacts the appropriate partner 12 over network 19 and requests a hotelroom for a particular set of dates. This step may involve aninterrogation of the various files within hotel system application 412to which the particular hotel has access (i.e., a hotel chain DF 902 orproperty DF 903), or this step may be deferred until check-in (asdescribed below).

Once a reservation has been made, the associated confirmation numbersupplied by the hotel may be downloaded into the confirmation numberfield in reservation EF 918 along with the date and the property code ofthe hotel.

This step may require the cardholder to transmit appropriate credit cardinformation, which may be suitably retrieved from pay1 EF 604.

Upon arrival at the hotel, the cardholder may use smartcard 100 toaccess a kiosk or other convenient access point provided for check-in.Thus, check-in may take place unassisted by hotel personnel, or mayinvolve a more traditional person-to-person interaction where card 100may be used primarily to streamline the check-in process initiated bypersonnel at the front desk.

At check-in, the confirmation number information may be retrieved fromreservation EF 918., and a particular room may be assigned (if notassigned previously). This step may typically involve retrieving, fromthe appropriate preference file (i.e., preferences EF 904 or 912), alist of preferences regarding bed size, room type, and the like. Thislist may be matched against the hotel's database of available rooms,thereby helping to streamline the room assignment process.

Once a room may be assigned, a digital key corresponding to the assignedroom (e.g., a numeric value or alphanumeric string) may be stored inkey-of-the-room EF 910. Card readers may be then employed as part of thedoor lock apparatus for each room, which may be configured to open onlyupon receiving the correct key.

At check-out time, payment may take place using payment card informationstored in payment card EF 510 and pay1 EF 604. Again, a suitablesmartcard reader (i.e., a reader configured with access point 15), maybe provided in any location convenient for check out, e.g., the hotellobby or within the individual hotel rooms themselves. The cardholdermay then acquire frequent stayer points, which would involve updatingone of the stayer ID EFs 906 (or 936). During the course of his stay atthe hotel, the cardholder may have incurred any number of expensesrelated to room-service, on-site dining, film viewing, and the like.These expenses, or a subset thereof, may be conveniently downloaded intoexpenses EF 916 for later retrieval, printout, or archiving.

Use of card 100 in a rental car context would necessarily involve manyof the same steps described above. The task of assigning a car wouldinvolve retrieving car preferences stored within preferences EF 805 andcomparing them to a database of available automobiles. Upon returningthe automobile, the cardholder may then be awarded frequent rentalpoints (through update of frequent renter EF 807), and an expense recordmay be stored within expenses EF 811.

In the airline context, card 100 could be used to make reservations,record preferences, and provide a payment means as described above. Inaddition, electronic tickets may be downloaded (EF IET 710), andboarding information may be supplied via boarding EF 712. Frequent flyerEF 708 may then be used to update the cardholder's frequent flyer miles.

The system in accordance with various aspects of the present inventionmay include methods and apparatus for personalizing and dynamicallysynchronizing smartcards and associated databases in the context of adistributed transaction system. More particularly, referring now to FIG.11, an exemplary dynamic synchronization system (DSS) preferably maycomprise a secure support client server 1104, a card object databaseupdate system 1106 (CODUS), one or more enterprise data synchronizationmay interface 1108 (EDSI), an update logic system 1110, one or moreenterprise data collection units 1112 (EDCUs), and one or more smartcardaccess points 15 configured to interoperably accept and interface withsmartcards 100. In an exemplary embodiment, DSS also suitably maycomprise a personalization system 1140 and an account maintenance system1142 configured to communicate with CODUS 1106.

More particularly, in an exemplary embodiment, secure support clientserver 1104 may be connected over a suitable network to EDSIs 1108through enterprise network 1114. EDSIs 1108 may be linked to updatelogic system 1110, which itself may be linked to enterprise datacollection units 1112. Enterprise data collection units 1112 may belinked to CODUS 1106 and secure support client server 1104. In general,as described in further detail below, each enterprise (e.g., airlinepartner, hotel partner, travel agency, etc.) may be preferablyassociated with a corresponding EDSI 1108, enterprise network 1114, andEDCU 1112. That is, EDCU 1112(a) corresponds to EDSI 1108(a) andenterprise network 1114(a), EDCU 1112(b) corresponding to EDSI 1108(b)and enterprise network 1114(b), and so on. The DSS may include anarbitrary number of such functional blocks in accordance with the numberof enterprises represented.

Personalization system 1140 may suitably function as the issuing sourceof smartcards 100. That is, personalization system 1140 may create andissue smartcards for use by the consumer by providing a predeterminedfile structure populated with initialization data (e.g., accountnumbers, serial numbers, smartcard identifiers, default preferences, andthe like). In this regard, CODUS 1106 may interface with personalizationsystem 1140 in order to facilitate reissuance of the card by providingupdated data in the event a card may be destroyed, lost, or stolen.Personalization system 1140 is described in detail below in conjunctionwith FIG. 19.

Account maintenance system 1142 may be provided for customer servicepurposes and, in this capacity, acts as the point of entry forcardholder complaints, questions, and other customer input. CODUS 1106suitably may communicate with account maintenance system 1142 in orderto assist customer service representatives and/or automated systems inaddressing cardholder issues.

Enterprise network 1114 may be configured similarly to network 19described above. Those skilled in the art will appreciate that a varietyof hardware systems are suitable for implementing the present invention.Various modems, routers, CPU's, monitors, back-up systems,power-supplies, and peripherals may be employed to realize the benefitsof the present system. In one embodiment, for example, a Compaq Prolineacomputer operating in an OS/2 environment using IBM MQ Server softwareis used to implement secure support client server 1108, wherein thevarious access points comprise stand-alone smartcard kiosks, an EDCU1112 and CODUS 1116 is then implemented on a Compaq Prolinea computeroperating in a Windows/NT environment running a suitable databasesoftware package.

Secure support client server 1104 may provide, where appropriate, anyfunctionality missing from the individual access point 15 used during atransaction. Server 1104 also may suitably handle routing of messagesfrom access points 15 to the appropriate EDSI 1108 and/or EDCU 1112.

Referring now to FIGS. 11 and 12, an exemplary secure support clientserver 1104 may comprise a security engine 1202, a supplementalapplication support 1204, and a router 1206. Security engine 1202 maycomprise suitable hardware and/or software to provide secure messagingbetween server 1104, EDSUs 1112, and enterprise network 1114. Morespecifically, security engine 1202 may utilize authentication, dataencryption, and digital signature techniques in connection with incomingand outgoing message packets. A variety of conventional securityalgorithms may be suitable in the context of the present invention,including, for example, DES encryption, RSA authentication, and avariety of other symmetrical and nonsymmetrical cryptographictechniques.

Supplemental application support 1204 preferably may comprise suitablehardware and/or software components related to a specific access point15 functionality. More particularly, server 1104 may suitably determinethe nature of access point 15 utilized during a transaction. If accesspoint 15 does not include the appropriate software for effecting therequested transaction, then server 1104 supplies the functionality(i.e., software modules) which completes the transaction with respectiveEDSIs 1108 and/or EDCUs 1112. The supplemental functionality mayinclude, inter alia, software modules for properly formatting messagepackets (described in further detail below) sent out over the variousnetworks comprising the DSS. For example, where a transaction takesplace via an access point 15 which may consists entirely of astand-alone smartcard reader 2500, then nearly all functionality may besupplied by server 1104 because the smartcard reader, by itself, may beonly capable of transferring messages to and from smartcard 100 in a“dumb” manner. However, when a suitably configured PC may be includedfor access point 15, most necessary functionality may be supplied byvarious software modules residing in the PC. In such a case, server 1104may need only transfer the various message packets to and from accesspoint 15 without supplying additional software. Added functionality maybe supplied through any suitable method, for example, through the use ofportable software code (e.g., Java, ActiveX, and the like), ordistributed software residing within access points 15, cards 100, and/orserver 1104.

Router 1206 may suitably handle routing of messages to the appropriateEDCUs 1112, enterprise network 1114, and access points 15. That is,router 1206 may be configured to identify the appropriate functionalblocks within the DSS to which a given message packet should be sent.The identification of the appropriate functional blocks may take placein a number of ways. In an exemplary embodiment, the identification maybe accomplished through the use of a look-up table comprising a list ofappropriate destinations keyed to information extracted from requestsreceived from access points 15.

In an alternate embodiment of the present invention, a secure supportclient server 1104 may be not used, and the functionality of accesspoints 15 may be suitably specified in order to obviate the need forserver 1104. Alternatively, the functions of server 1104 may beallocated and distributed throughout the DSS components in anyadvantageous manner.

It may be appreciated by those skilled in the art that the term“transaction” refers, generally, to any message communicated over thesystem for effecting a particular goal, for example, debit/chargeauthorization, preference changes, reservation requests, ticketrequests, and the like. FIG. 21, for example, shows an exemplarytransaction data structure useful in the context of performing an onlinetransaction with a travel partner, wherein the field name 2102, datatype 2104 (“C” for character), maximum byte-length 2106, and description2108 may be listed in tabular form. In this example, the transactionmessages may suitably comprise comma delimited data packets, althoughother data structures may be employed.

CODUS 1106 may suitably securely store information related to the stateof the various issued smartcards 100. Referring now to FIGS. 11 and 16,in an exemplary embodiment, CODUS 1106 may comprise a security engine1602, a data management module 1604, a object database 1616, a cardobject administration module 1606, and an audit file 1608.

Security engine 1602 may provide suitable security for, inter alia, theinformation stored within object database 1616. In this regard, securityengine 1602 may utilize various authentication, data encryption, anddigital signature techniques in connection with incoming and outgoingmessage packets. Suitable algorithms in the context of the presentinvention, include, for example, DES encryption, RSA authentication, anda variety of other symmetrical and non-symmetrical cryptographictechniques.

Data management module 1604 may suitably act as a data interface betweenCODUS 1106 and account maintenance 1142 as well as between CODUS 1106and the various EDCUs 1112. More specifically, module 1604 converts andtranslates between the data format used in these systems. For example,data stored within object database 1616 may not be stored in a formatwhich may be easily used by EDCUs 1112 or account maintenance 142.Accordingly, data management module 1604 may comprise suitable routinesfor effecting conversion and formatting of both incoming and outgoingdata.

Card object administration module 1606 preferably may provide suitabledatabase software to edit, update, delete, synchronize, and ensurenon-corruption of data stored within object database 106. A variety ofdatabase packages may be suitable for this task, including, for example,various conventional fourth-generation relational database managementsystems (4GL RDBMS).

Audit file 1608 suitably may track changes to object database 1616,thereby helping to ensure the integrity of card data stored within CODUS1106. More particularly, when changes to object database 1616 take placeas a result of preference updates, transactions, application structurechanges, and the like, audit file 1608 may track suitable informationrelated to these changes, e.g., time, date, and nature and content ofthe change.

Object database 1616, may be used to store the known state of thevarious smartcards 100. In general, the state of a smartcard may becharacterized by a suitable set of card indicia. In an exemplaryembodiment, wherein a data structure in accordance with ISO-7816 may beemployed, object database 1616 stores information related to theindividual applications present on the various smartcards 100 (i.e., theoverall file structure) as well as the individual fields, directories,and data that comprise those applications. A file structure for objectdatabase 1616 may be chosen such that it may include a suitable set ofdata fields for a given smartcard 100.

In an exemplary embodiment, the various EDSIs 1108 track changes tosmartcard data and/or applications corresponding to individualenterprises. With reference to FIGS. 11 and 13, in an exemplaryembodiment, EDSI 1108 may comprise a communication server 1302, asecurity engine 1304, and a file structure 400.

Communication server 1302 may suitably facilitate communication withenterprise network 1114 and update logic system 1110. In this regard,server 1302 may be configured to translate between various formats,media, and communication protocols as may be necessary given theparticular choice of components employed.

Security engine 1304 may provide suitable security measures with respectto the access and storage of information with file structure 400.Security engine 1304 may utilize various authentication, dataencryption, and digital signature techniques in connection with incomingand outgoing message packets. Suitable algorithms in the context of thepresent invention, include, for example, DES encryption, RSAauthentication, and a variety of other symmetrical and non-symmetricalcryptographic techniques.

File structure 400, described in greater detail above, may comprise asingle database or a set of distributed databases and may suitablyprovide a means for storing smartcard information related to individualpartners or enterprises. During synchronization (as described in furtherdetail below) any changes to file structure 400 may be propagatedthrough the system and, visa-versa, changes elsewhere in the system maybe communicated to file structure 400. This communication may bepreferably done securely (using security engine 1304) in conjunctionwith communication server 1302.

In an alternate embodiment, the functionality provided by the EDSIs 1108may be folded into the corresponding EDCU 1112. That is, while anillustrated embodiment may employ one or more physically separate EDSIs1108, it may be advantageous to further streamline the DSS byincorporate this functionality into the corresponding EDCU 1112functional block.

In an exemplary embodiment, update logic system 1110 formats andsecurely routes card data received from and transmitted to EDCUs 1112and EDSIs 1108. Referring now to FIG. 14, in an exemplary embodiment,update logic system 1110 may include a logic engine 1402, a datamanagement module 1404, a security engine 1406, an enterprise updateadministrator 1408, and an enterprise update audit module 1410.

Logic engine 1402 may suitably function to direct and distributeinformation changes across the system. Thus, logic engine 1402 may beable to determine which modules (i.e., which EDCUs 1112 and EDSIs 1108)need to reflect the change Data management module 1404 may suitably actas a data interface between EDSIs 1108 and EDCUs 1112. Morespecifically, module 1404 may be able to convert and translate betweendata format used in these systems. Accordingly, data management module1604 may comprise suitable routines for effecting conversion andformatting of both incoming and outgoing data.

Security engine 1406 may be used to provide suitable security measureswith respect to data flowing through update logic system 1110. Securityengine 1406 may utilize various authentication, data encryption, anddigital signature techniques in connection with incoming and outgoingmessage packets. Suitable algorithms in the context of the presentinvention, include, for example, DES encryption, RSA authentication, anda variety of other symmetrical and non-symmetrical cryptographictechniques.

Enterprise update administrator 1408 suitably may comprise overheadsoftware necessary to maintain data transfer between EDSIs 1108 andEDCUs 1112.

Enterprise update audit module 1410 suitably may track updateinformation flowing through update logic system 1110. More particularly,when information may be communicated across update logic system 1110,(as a result of preference updates, transactions, application structurechanges, and the like), audit module 1410 may track suitable indicia ofthis information, e.g., time, date, and nature and content of thecommunication.

EDCUs 1112 preferably store and coordinate the transfer ofsynchronization data corresponding to a particular enterprise. Withreference to FIG. 15, in an exemplary embodiment, enterprise datacollection unit 1112 may include a security engine 1508, a customerupdate transaction database 1504, a customer pending transactiondatabase 1514, an update database 1502, an EDCU audit file 1506, an EDCUadministrative file 1512, and an EDCU data management module 1516.

Security engine 1508 may be used to provide suitable security measureswith respect to data flowing through EDCU 1112. Toward this end,security engine 1406 may utilize various authentication, dataencryption, and digital signature techniques in connection with incomingand outgoing message packets. Suitable algorithms in the context of thepresent invention, include, for example, DES encryption, RSAauthentication, and a variety of other symmetrical and non-symmetricalconventional cryptographic techniques.

Customer update transaction database 1504 may be used to storeinformation which has been updated on a smartcard 100, but which has notyet propagated to the various databases and networks that requireupdating. For example, smartcard 100 may be used to change cardholderpreferences in the course of a transaction with a particular enterprise.This information would, in the short term, be stored in database 1504(for the particular enterprise) until it could be fanned-out to CODUS1106 and the appropriate EDCUs 1112 and EDSIs 1108. This type oftransaction is described in further detail below.

Customer pending transaction database 1514 may be suitably used to storeinformation related to transactions which have taken place withoutdirect use of the smartcard 100. More particularly, some transactions,such as preference changes and the like, may be initiated by acardholder through a channel which does not involve use of the card, forexample, through a verbal request over a standard telephone. In such acase, and as detailed further below, this data may be suitably stored inpending transaction database 1514. The transaction data remains indatabase 1514 until the corresponding smartcard 100 may be used inconjunction with an access point 15, whereupon smartcard 100 itself (aswell as CODUS 1106) may be updated with this new information.

Update database 1502 may be suitably used to store other types oftransactions, i.e., transactions which may not be classifiable asupdate, loyalty or pending. For example, update database 1502 may beemployed to store file structure updates as detailed below.

Audit file 1506 may be used to track changes to update database 1504,pending database 1514, and database 1502. Audit file 1506 thereforehelps to ensure the integrity of data in the respective files.

Administrative file 1512 may provide suitable database softwarenecessary to edit, update, delete, synchronize, and ensurenon-corruption of data stored within the various databases that compriseEDCU 1112 i.e., databases 1502, 1504, and 1514.

Data management module 1516 may provide data management capabilities tofacilitate data transfer between smartcards 100 and databases 1504,1514, and 1502 as well as between these databases and the other systemsi.e., update logic system 1110 and CODUS 1106. Thus, data managementmodule 1516 acts as interface to ensure seamless transfer of databetween the various systems.

Referring now to FIG. 19, in an exemplary embodiment, personalizationsystem 1140 suitably may comprise a card management system 1902, alegacy management system 1904, a gather application module 1906, one ormore databases 1910, an activation block 1908, a common cardpersonalization utility 1912 (CCP), a service bureau 1914, a common cardsecurity server 1916, a key management system 1918, and one or more keysystems 1920. Key management system 1918 suitably may comprise adatabase module 1922, CID replace module 1924, key system 1926, and keysystem 1928.

CCP 1912 suitably may communicate with CODUS 1106 (shown in FIG. 11),and legacy management system 1904 suitably may communicate with accountmaintenance 1142 which may be also configured to communicate with CODUS1106.

Card management system 1902 may suitably receive the card request 1901and initiates the gathering of information from various sources.Generally, card request 1901 may consists of various request informationintended to specify a desired group of card characteristics. Suchcharacteristics may include, for example: a smartcard identifier (aserial number, account number, and/or any other identifier of aparticular smartcard 100), a list of desired applications (airline,hotel, rental car, etc.); a designation of whether the card may be new,a renewal, or a replacement; a list of default cardmember preferencescorresponding to the desired applications; personal information relatedto the cardmember (name, address, etc.); and required security levels.

Card management system 1902 may suitably parse the card request and, forinformation already stored by the issuer, sends a request to legacy cardmanagement system 1904. For information not available as legacy data,card management system 1902 forwards the relevant components of cardrequest 1901 to gather application module 1906. In an exemplaryembodiment, card management system 1902 chooses the optimum smartcardphysical characteristics for a particular card request 1901. That is,card management system 1902 may suitably determine the appropriate typeof smartcard chip to be used based on a number of factors, for example,memory requirements and computational complexity of the desired securityfunctions. Similarly, the optimum smartcard operating system (SCOS) maybe chosen. In an alternate embodiment, the smartcard chip, operatingsystem, and the like, may be specified in card request 1901.

Legacy management system 1904 acts as a suitable repository ofinformation related to the cardholder's past relationship if any withthe card issuing organization. For example, a cardholder may have along-standing credit or debit account with issuing organization (basedon a standard embossed mag-stripe card) and this information may beadvantageously incorporated into the issued card.

Gather application module 1906 may be suitably configured to receiveinformation from card management system 1902 and legacy managementsystem 1904 and then interface with the various databases 1910 to gatherall remaining application information specified in card request 1901.Preferably, databases 1910 correspond to and may be associated with theindividual partnering enterprises which offer smartcard applications foruse in smartcard 100 (e.g., enterprise network 1114 in FIG. 11). Thus,for example, a card request 1901 which included a request for a hotelapplication would trigger gather application 1906 to initiate datacommunication with the appropriate hotel database 910. Hotel database1910 would then return information specifying the correct filestructure, access conditions (security), default values, and other datanecessary to configure smartcard 100 with the requested application.Communication with the various databases 1910 may take place through anysuitable means, for example, data communication over the Internet, PSTN,and the like, or through other channels, such as simple phone requests.

Activation block 1908 may be suitably used to provide a means for thecardmember to activate the card once it has been issued. For example, itmay be common for credit cards and the like to be sent to the cardmemberunactivated, requiring that the cardmember call (or otherwise contact)an automated system at the issuer in order to activate the card. Thismay be typically accomplished via entry of the card number and othersuitable ID using a touch-tone phone. In this regard, activation block1908 may be used to facilitate this function for the requestedsmartcard, i.e., to specify whether such activation may be necessary fora particular card.

CCP 1912 may be used to create a correctly formatted card “object” i.e.,the operating system, file structure 400 and all other available carddata to be downloaded to card 100 then transfer this information toservice bureau 1914 (for creation of the smartcard) and CODUS 1106 (forrecording the card's state as issued). CCP 1912 may be preferablyconfigured to tailor the format of the card object to the specific cardissuance system to be used (described below). Thus, gather applicationsystem 1906 may deliver a relatively high-level functionality request,and CCP 1912 may create the specific “object” to be used in theimplementation.

Personalization Service Bureau 1914 may comprise suitable hardware andsoftware components to complete production of the smartcards forissuance to the respective cardmembers. In this regard, service bureau1914 may include a suitable smartcard “printer” to handle the transferof information to the smartcard chip as well as any conventionalembossing or mag-stripe writing that may take place. Suitably smartcardprinters may include, for example, any of the series 9000 and series150i smartcard issuance systems manufactured by Datacard Corporation ofMinnetonka, Minn.

Common card security server 1916 (CCSS) suitably may comprise softwareand hardware components necessary to retrieve cryptographic keyinformation from various enterprise key systems 1920. In an exemplaryembodiment, this information may be accessed by service bureau 1914 inorder to complete the personalization process. More particularly, it maytypically be the case that a smartcard 100 contains a number ofdifferent applications associated with a wide range of enterpriseorganizations. One in the art may appreciate that the writing, updating,and reading of these files may be advantageously restricted toparticular parties in accordance with a set of access condition rules.These access conditions may be suitably implemented using cryptographickeys which may be known by the appropriate parties. Thus, service bureau1914 whose task it may be to create and populate the card file structuremay not, ab initio, have access to the keys necessary to perform thisfunction. As mentioned briefly above, known systems have attempted tosolve this problem by accumulating key data in a central repository usedin the issuance process, thereby creating an unacceptable security risk.Methods in accordance with the present invention, however, allow forcommunication between the smartcard and the individual key systems 1920as the card may be being issued, thus allowing key information to besecurely downloaded to the smartcard without the intervention of a thirdparty. CCSS 916 may be suitably used to facilitate this process byreceiving information from CCP 1912 regarding the identity of thevarious applications to be created in the various cards, then, whenprompted by service bureau 1914 (or, alternatively, prior to issuance byservice bureau 1914), contacting the appropriate key system 920 torequest a key to be transmitted to service bureau 1914 duringpersonalization.

Key systems 1920 comprise suitable database systems capable of storing,generating, and securely transmitting cryptographic keys associated witha particular enterprise. Key management system 1918 may be, in thiscontext, a system comparable to key systems 1920, but which may be“owned” by the party implementing the personalization system. Thekey-generating function may be distributed between CCSS and key systems1920. That is, the keys may be generated in real time at CCSS 1916 (inaccordance with algorithms and key information received from theparticular enterprises), rather than being generated at key systems1920.

It may be appreciated to one skilled in the art that the functionalblocks illustrated in FIG. 19 may be implemented using a variety ofhardware and software components, both off-the-shelf and/orcustom-developed. Database-intensive functions performed, for example,by card management system 1902, may be implemented using any suitabledatabase package, e.g., Codebase, dBase, or the like.

A personalization system as described above in conjunction with FIG. 19may be suitably used to efficiently issue a large number of smartcardswith a wide range of functionality levels. This task involves obtainingand coordinating, in a timely fashion, accurate data for individualcardmembers across the various partnering enterprises supported by thesystem. In this regard, it may be the case that certain partneringenterprises desire to limit the dissemination of proprietary data. Thisdata may include, for example, private keys used in connection withsmartcard access conditions as well as file structure and cardmemberpersonal data.

Referring now to FIGS. 19 and 20, an exemplary smartcard personalizationprocess may now be described. First, the system receives a smartcardrequest (step 2002). As mentioned above, card management system 1902 maybe suitably used to receive the card request and initiate the gatheringof information from various sources. Card request 1901 suitably mayconsists of request information intended to specify a desired group ofcard characteristics. Such characteristics may include, for example: asmartcard identifier, a list of desired applications (airline, hotel,rental car, etc.); a designation of whether the card may be new, arenewal, or a replacement; a list of default cardmember preferencescorresponding to the desired applications; personal information relatedto the cardmember (name, address, etc.); and required security levels.

Next, the system selects the smartcard type and configurationappropriate for the given card request 1901 (step 2004). This step maybe suitably performed by card management system 1902. Thus, cardmanagement system 1902 examines a number of factors in light ofinformation received in card request 1901 (e.g., memory requirements,desired security functions, and the like), then selects an appropriatesmartcard chip from a library of available chips. In the same way, theoptimum smartcard operating system (SCOS) may also be selected.

Cardmember information may then be obtained (step 2006). This step maybe suitably performed by gather application module 1906 operating inconjunction with databases 1910 and legacy management system 1904. Moreparticularly, cardmember-specific information may be preferablyclassified in two groups: information known to the personalizationsystem, and information not known by the personalization system. Knowninformation generally may consists of data acquired through a pastrelationship with the organization hosting the personalization system.In such a case, certain data such as cardholder name, exemplary billingaddress, title, company, etc., may most likely already be known, as maycertain application data. Such information may be suitably stored in,and may be retrieved from, one or more databases comprising legacymanagement system 1904. As part of step 2006, the system (specifically,module 1908) preferably determines whether the card should requireactivation. That is, as mentioned briefly above, it may be common toapply a sticker or the like to a card that notifies the cardmember thatactivation of the card may be required prior to use. Activationtypically involves the use of an automated phone system). The choice ofwhether a particular card requires activation may be based on a numberof factors, for example, demographics, crime-rate numbers, or mail fraudstatistics associated with the cardmember's zipcode number.

For data not included in legacy management system 1904, gatherapplication module 1906 suitably may communicate with databases 1910 toretrieve the information needed to satisfy card request 1901. Thisinformation may typically consist of file structure 400 information,e.g., the DF and EF hierarchy, data types and lengths, and accesscondition specifications for the particular enterprise-sponsoredapplication. For example, in the case where card request 1901 mayinclude a request for an airline application, gather application module1906 would contact the database corresponding to the enterprise hostingthe airline application, then download all necessary file structureinformation. This process would continue in turn for each new ormodified application to be incorporated into the smartcard.

A full cardmember data set may then be created (step 2008) suitablyusing CCP 1912. This data set, or “card object”, may ultimately be usedby service bureau 1914 to create the physical smartcard. The form of thecard object may vary. In one embodiment, the card object may comprisewhat has been termed a Binary Large Object (“BLOB”). The card object maybe preferably tailored to the selected smartcard configuration (e.g.,chip type and operating system as specified in step 2004), the contentof cardmember information data (gathered in step 2006 ), and theintended smartcard “printer” (i.e., the apparatus used to create thefinished card within service bureau 1914). This allows the system, inthe preceding steps, to specify file structures, data types, and thelike, without concerning itself with how this structure may be encodedonto the smartcard or how the data may be accessed. Up until step 2008,the system need only develop a relatively high-level model of theintended smartcard data structure; the specifics may be substantiallyinvisible to all but CCP 1912.

In an alternate embodiment, various details of the smartcard data objectmay be determined at a prior point in the system. That is, thefunctionality of CCP 1912 may be distributed among various components ofthe system.

Having created the cardmember data set, or card object, in step 2008,this data may be then sent to CODUS 1106 (step 2010). This ensures thatthe DSS (particularly CODUS 1106) has a record of the smartcard state atthe time of personalization. This information may be then immediatelyavailable to account maintenance system 1142.

The card object may be then sent to service bureau 1914 and (ifrequired) CCSS 1916 (step 2012). The necessary keys may be acquired toallow service bureau 1914 to create the finished smartcard (step 2014).As mentioned above, step 2014 may be suitably performed by CCSS 1916concurrently or serially with the issuance process. In one embodiment,as each individual card may be being created using an issuance systemsuitably located at service bureau 1914, service bureau 1914interrogates CCSS for the appropriate cryptographic keys. These keyshave either been retrieved from key systems 1920 and 1918 earlier (i.e.,after step 2012), or may be retrieved in real-time in response to therequest from service bureau 1914. Alternatively, the keys may beretrieved by CCSS 1916 and transmitted to CCP 1912 prior to transmissionof the card object to service bureau 1914. In either case, the key orkeys may be then retrieved for inclusion in the card object created instep 2008.

The actual card may be issued (step 1016). Service bureau 1914 maysuitably download the card object into the correct smartcard hardwareusing the correct cryptographic keys. The initialized smartcard may thenbe packaged and distributed to the appropriate cardmember in accordancewith conventional methods.

A dynamic synchronization system as described above in variousembodiments may be used to track the “state” of the consumer'ssmartcard. The state of the smartcard may be suitably characterized bythe structure of applications used in the smartcard and the variouspieces of data that may be stored within these applications.

A number of synchronization issues may arise in the multi-functionsmartcard context; indeed, three paradigmatic cases reoccur with somefrequency, and relate to: 1) update transactions, 2) pendingtransactions, and 3) file structure changes. Each of these cases may nowbe described in turn with respect to the present invention.

It may be quite common for a cardholder to make a local change tosmartcard 100 which may be not immediately reflected in all thedatabases which could advantageously make use of this information. Forexample, suppose that upon initialization (i.e., when the card wasoriginally issued via personalization system 1140) the cardholder'ssmartcard 100 was configured to reflect a general preference for smoking(e.g., one file contains a Boolean field keyed to smoking/non-smoking),but the cardholder now wishes to change this general preference file toreflect a non-smoking preference.

In this case, referring now to FIGS. 11, 18 with respect to an exemplaryembodiment of the present invention, the cardholder may suitably insertcard 100 into a conveniently located access point 15, whereuponauthentication of the card and/or card-reader takes place (step 1802).In an exemplary embodiment, authentication takes place in accordancewith relevant sections of the ISO 7816 standard.

Next, the cardholder uses a suitable user interface (supplied by accesspoint 15 working in conjunction with server 1104 ) in order to perform atransaction i.e., to request a change to the preferences file (step1804). This change would typically be reflected at the smartcard 100immediately. That is, access point 15 and/or server 1104 would includethe functionality necessary to access and update the appropriate fileswithin smartcard 100.

Communication router 1206 in server 1104 then routes the transaction tothe appropriate party, i.e., an EDSI 1108 or an EDCU 1112, correspondingto branches 1807 and 1812 respectively. That is, depending on the systemconfiguration, the file to be changed may be associated with aparticular enterprise or, alternatively, may be associated with theorganization hosting the DSS. These two cases will be described in turn.

Following branch 1807 in FIG. 18, the change data may be sent to andstored in the appropriate EDSI 1108 (step 1808). Update logic system1110 then transfers this change request to the appropriate EDCU 1112i.e., the EDCU 1112 corresponding to the particular EDSI (step 1810).This information may be suitably stored in the corresponding updatedatabase 1504. The information may be also distributed to other EDSIs.In the instant example, update logic system 1110 would identify thosesystems that would benefit from knowing the cardholder's smoking status.Such systems may include, for example, various hotels, rental caragencies, and the like.

Alternatively, following branch 1805 in FIG. 18, the data may first bestored at the appropriate EDCU (step 1812), then distributed to otherEDCUs 1112 and EDSIs 1108 as described above.

The card data change may be then transferred to CODUS 1106.Specifically, the various fields and files associated with the smartcard100 may be updated to reflect the change stored in update database 1504.Thus, the information within CODUS 1106 conforms to that containedwithin smartcard 100 and the various EDCUs 1112 and EDSIs 1108. Afterthis transfer, the corresponding change data in update database 1504 maybe cleared (step 1818).

The cardholder may make a change or perform a transaction through achannel that does not directly involve smartcard 100, thus creating aninconsistency between the data in smartcard 100 and the data in variousdatabases throughout the DSS. Such a case may arise, for example, whenthe cardholder calls a hotel to make a reservation (rather thanperforming the transaction on line using smartcard 100) and makes anoral request to change his preferences from smoking to non-smoking.Referring now to FIGS. 11 and 17, in this case, with respect to anexemplary embodiment of the present invention, the cardholder firstcontacts an enterprise through a means that does not include smartcard100 i.e., a “smartcard not present” transaction (step 1702). Using anappropriate interface (voice, keypad, etc.), a change or transaction maybe selected (step 1704). This change may be then stored locally within aparticular enterprise network 1114 and/or may be stored within an EDSI1108 (step 1706).

Next, update logic system 1110 routes this information to thecorresponding EDCU 1112 (step 1708), where it resides in pendingdatabase 1514. At this point, smartcard 100 itself may be oblivious tothe change. As a result, if the cardholder were to initiate asmartcard-present transaction, the corresponding enterprise would likelylook first to the data structure in smartcard 100 for preferences, andas just stated, would most likely arrive at the wrong conclusion (e.g.,a smoking room may be assigned notwithstanding the cardholder'sexpressed preference).

In order to remedy this situation, the present invention may provide amethod by which the smartcard may be up-dated upon its next use (steps1710-1712). That is, after the smartcard may be inserted at an accesspoint 15 and may be suitably authenticated (step 1710), the systeminterrogates pending database 1514 to determine whether any changes havebeen made. If so, the appropriate information may be downloaded tosmartcard 100 (step 1712).

After the above information transfer may be successfully completed, thechange data may be transferred to CODUS 1106, where it may be storedwithin object database 1616. Finally, the respective information withinpending database 1514 may be cleared (step 1716).

In addition to the data-related modifications detailed above, changes tothe structure of data stored in smartcard 100 may also be desirable incertain contexts. That is, during the life of a smartcard, it may belikely that the card issuer, a partnering enterprise, or the cardholderhimself may desire to extend the card's functionality by augmenting thesuite of applications housed within the card. For example, a cardholderwho uses a smartcard for rental car and airline reservations may alsowish to use the card for acquiring and paying for hotel reservations. Insuch a case, the appropriate hotel partner may process the cardholder'srequest and arrange for addition of a hotel application to be added tothe smartcard file structure. In another example, the smartcard issuermay authorize the addition of a new application on its own, for example,a credit and/or debit application. Conversely, it may also beappropriate in some instances to remove applications from the card.

In an exemplary embodiment, the types of file structure changesdescribed above may be handled in a manner analogous to the procedureset forth in FIG. 17, depending, to some extent, upon which partyoriginates the file structure change. That is, as in step 1712, theappropriate file structure change information may be stored in EDCU 1112(for example, in database 1502), and then transferred to smartcard 100when the card may be used in conjunction with an on-line transaction(steps 1710 and 1712). After the file structure on smartcard 100 may beaugmented or otherwise modified, CODUS 1106 (specifically, database1116) may be similarly modified to reflect the change. The changeinformation may be then cleared from database 1502 (step 1716).

While the example transactions set forth above are described in generalterms, the particular nature of data flow to and from the appropriatememory locations within the card may be apparent to those skilled in theart.

In another exemplary embodiment of the present invention, a smartcardtransaction system 2400 may be configured with one or more biometricscanners, processors and/or systems. FIG. 24 illustrates an exemplarysmartcard transaction system 2400 in accordance with the presentinvention, wherein exemplary components for use in completing asmartcard transaction using travel-related information are depicted.System 2400 may include smartcard 100 having IC 110. Smartcard 100 mayalso be configured with a biometric sensor 2204, described in furtherdetail herein. System 2400 may also comprise a smartcard reader 2500configured to communicate with smartcard 100 and access point 15.Smartcard reader 2500 may be configured with a biometric sensor 2430,described in further detail herein. Smartcard 100 may communicate withenterprise network 1114 and/or network 19 through smartcard reader 2500.

A biometric system may include one or more technologies, or any portionthereof, to facilitate recognition of a biometric. As used herein, abiometric may include a user's voice, fingerprint, facial, ear,signature, vascular patterns, DNA sampling, hand geometry, sound,olfactory, keystroke/typing, iris, retinal or any other biometricrelating to recognition based upon any body part, function, system,attribute and/or other characteristic, or any portion thereof. Certainof these technologies will be described in greater detail herein.Moreover, while some of the examples discussed herein may include aparticular biometric system or sample, the invention contemplates any ofthe biometrics discussed herein in any of the embodiments.

The biometric system may be configured as a security system and mayinclude a registration procedure in which a user of transactioninstrument (e.g., smartcard 100) proffers a sample of his fingerprints,DNA, retinal scan, voice, and/or other biometric sample to an authorizedsample receiver (ASR). An ASR may include a local database, a remotedatabase, a portable storage device, a host system, an issuer system, amerchant system, a smartcard issuer system, an employer, a financialinstitution, a non-financial institution, a loyalty point provider, acompany, the military, the government, a school, a travel entity, atransportation authority, a security company, and/or any other system orentity that may be authorized to receive and store biometric samples andassociate the samples with specific biometric databases and/ortransaction instruments (e.g., smartcards 100). As used herein, a userof a smartcard, cardmember, or any similar phrase may include the personor device holding or in possession of the smartcard, or it may includeany person or device that accompanies or authorizes the smartcard ownerto use the smartcard.

FIG. 23 illustrates an exemplary registration procedure in accordancewith the present invention. In one embodiment, a cardmember may contactan ASR to submit one or more biometric samples to an ASR (Step 2301).The cardmember may contact the ASR and submit a sample in person,through a computer and/or Internet, through software and/or hardware,through a third-party biometric authorization entity, through a kioskand/or biometric registration terminal, and/or by any other direct orindirect means, communication device or interface for a person tocontact an ASR.

A cardmember may then proffer a biometric sample to the ASR (step 2303).As used herein, a biometric sample may be any one or more of thebiometric samples or technologies, or portion thereof, described hereinor known in the art. By proffering one or more biometric samples, abiometric may be scanned by at least one of a retinal scan, iris scan,fingerprint scan, hand print scan, hand geometry scan, voice print scan,vascular scan, facial and/or ear scan, signature scan, keystroke scan,olfactory scan, auditory emissions scan, DNA scan, and/or any other typeof scan to obtain a biometric sample. Upon scanning the sample, thesystem may submit the scanned sample to the ASR in portions during thescan, upon completing the scan or in batch mode after a certain timeperiod. The scanned sample may include a hardcopy (e.g., photograph),digital representation, an analog version or any other configuration fortransmitting the sample. The ASR receives the sample and the ASR mayalso receive copies of a cardmember's biometric data along with thesample or at a different time (or within a different data packet) fromreceiving the sample.

The ASR and/or cardmember may correlate and/or register the sample withcardmember information to create a data packet for the sample and storethe data packet in digital and/or any storage medium known in the art.As used herein, a data packet may include the digitized informationrelating to at least one of a biometric sample, a registered biometricsample, a stored biometric sample, a proffered biometric, a profferedbiometric sample, cardmember information, smartcard information and/orany other information. The terms “data packet,” “biometric sample,” and“sample” may be used interchangeably. As used herein, registered samplesmay include samples that have been proffered, stored and associated withcardmember information. By storing the data packet in digital format,the ASR may digitize any information contained in one of the biometricscans described herein. By storing the data packet in any storagemedium, the ASR may print and/or store any biometric sample. Hardcopystorage may be desirable for back-up and archival purposes.

The biometric sample may also be associated with user information tocreate a data packet (step 2305). The sample may be associated with userinformation at any step in the process such as, for example, prior tosubmission, during submission and/or after submission. In oneembodiment, the user may input a PIN number or zip code into accesspoint 15, then scan the biometric to create the biometric sample. Thelocal access point may associate the biometric sample data with the PINand zip code, then transmit the entire packet of information to the ASR.In another embodiment, the access point may facilitate transmitting thesample to an ASR, and during the transmission, the sample may betransmitted through a third system which adds personal information tothe sample.

The information associated with the biometric sample may include anyinformation such as, for example, cardmember information, smartcard 100information, smartcard 100 identifier information, smartcard 100 issuerinformation, smartcard 100 operability information, and/or smartcard 100manufacturing information. Smartcard 100 information may be not limitedto smartcard chip information and may include information related to anytransaction instrument such as transponders, credit cards, debit cards,merchant-specific cards, loyalty point cards, cash accounts and anyother transaction instruments and/or accounts. The cardmemberinformation may also contain information about the user includingpersonal information—such as name, address, and contact details;financial information—such as one or more financial accounts associatedwith the cardmember; loyalty point information—such as one or moreloyalty point accounts (e.g., airline miles, charge card loyalty points,frequent diner points) associated with the cardmember; and/ornon-financial information—such as employee information, employerinformation, medical information, family information, and/or otherinformation that may be used in accordance with a cardmember.

For example, a cardmember may have previously associated a credit cardaccount, a debit card account, and a frequent flier account with hisbiometric sample which may be stored at an ASR. Later, when cardmemberdesires to purchase groceries, cardmember may submit his biometricdsample while using smartcard 100 for the purchase at access point 15.Access point 15 may facilitate sending the biometric sample to the ASRsuch that the ASR authorizes the biometric sample and checks a look-uptable in the ASR database to determine if any information may beassociated with the sample. If information (e.g., financial accounts)may be associated with the sample, the ASR may transmit the informationto the Access point. The Access point may then present cardmember with alist of the three accounts associated with the biometric sample.Cardmember and/or a merchant may then chose one of the accounts in orderto continue and finalize the transaction.

In another embodiment, cardmember may associate each account with adifferent biometric sample. For example, during registration, cardmembermay submit a sample of his right index fingerprint, and request that thesystem primarily associate this sample with a particular credit cardaccount. Cardmember may additionally submit a sample of his left indexfingerprint and request that the system primarily associate the samplewith a particular debit account. Additionally, cardmember may submit hisright thumbprint and request that the system primarily associate thatsample with a particular frequent flier account. By “primarily”associating a sample with an account, the system initially associatesthe sample with that account. For example, cardmember submitting hisright index fingerprint for a financial transaction may have money forthe transaction taken from his credit card account. Cardmember mayadditionally specify which accounts should be secondarily associatedwith a sample. For example, cardmember may have a debit card accountsecondarily associated with his right index fingerprint. As a result, ifcardmember submits his right index fingerprint for a transaction, andthe primary account associated with the sample is overdrawn orunavailable, the secondary account may be accessed in order to furtherthe transaction.

While primary and secondary account association are described herein,any number of accounts may be associated with a sample. Moreover, anyhierarchy or rules may be implemented with respect to the association.For example, the cardmember may instruct the system to access a debitcard account when it receives a right index fingerprint sample, thepurchase qualifies for loyalty points with a certain airline and thepurchase amount is less than $50. The cardmember may additionallyinstruct the system to access a credit card account if it receives aright index fingerprint sample, the purchase does not qualify forairline miles and the purchase amount is greater than $50. Further,while fingerprint samples are discussed herein, any biometric sample mayhave one or more accounts associated with it and may be used tofacilitate a transaction using any of the routines discussed herein.

The ASR and/or cardmember may associate a specific smartcard 100identifier with the biometric sample by any method known in the art forassociating an identifier (e.g., through the use of software, hardwareand/or manual entry.) The ASR may additionally verify the cardmemberand/or smartcard 100 by using one or more forms of the user's secondaryidentification (step 2307). For example, the ASR may verify thecardmember by matching the smartcard information to informationretrieved from scanning information from a cardmember's driver'slicense. The ASR may verify smartcard 100 by contacting the vendor ofsmartcard 100 to confirm that smartcard 100 was issued to a specificcardmember. In another embodiment, the ASR may activate smartcard 100during the registration procedure to confirm that the smartcard 100smartcard chip identifier and other information may be properlyassociated with the cardmember and the cardmember's specific biometricsamples. The ASR may additionally employ one or more verificationmethods to confirm that the biometric sample belongs to the user, suchas, for example, the ASR may request from the user demographicinformation, further biometric samples and/or any other information. Asused herein, “confirm,” “confirmation” or any similar term includesverifying or substantially verifying the accuracy, existence,non-existence, corroboration, and/or the like of the information,component, or any portion thereof. The ASR may additionally employ oneor more additional processing methods in order to facilitate associationof a biometric sample. As used herein, the term processing may includescanning, detecting, associating, digitizing, printing, comparing,storing, encrypting, decrypting, and/or verifying a biometric and/or abiometric sample, or any portion thereof.

Upon association, authentication and/or verification of the biometricsample and smartcard 100, the system may create a data packet store thedata packet and smartcard 100 identifier (step 2309) in one or moredatabases on and/or in communication with system 2400 via a network,server, computer, or any other means of communicating as describedherein. The database(s) may be any type of database described herein.For example, a biometric sample stored on smartcard 100 may be stored inEEPROM 212. The database(s) may be located at or operated by any of theentities discussed herein such as, for example, the ASR and/or by athird-party biometric database operator.

The information stored in the database may be sorted or stored accordingto one or more characteristics associated with the sample in order tofacilitate faster access to the stored sample. For example, fingerprintsamples may be stored in a separate database than voice prints. Asanother example, all fingerprints with certain whirl patterns may bestored in a separate sub-database and/or database from fingerprints witharch patterns.

The biometric samples may also be stored and/or associated with apersonal identification number (PIN) and/or other identifier tofacilitate access to the sample. The PIN may be cardmember selected orrandomly assigned to the biometric sample. The PIN may consist of anycharacters such as, for example, alphanumeric characters and/or foreignlanguage characters.

The system may further protect the samples by providing additionalsecurity with the sample. The security may include, for example,encryption, decryption, security keys, digital certificates, firewallsand/or any other security methods known in the art and discussed herein.One or more security vendors may utilize the security methods to storeand/or access the biometric samples. The present invention anticipatesthat storage of the biometric samples may be such that a sample may befirst encrypted and/or stored under a security procedure, such that thesample may only be accessed by a vendor with the proper level of accessor security which corresponds to or provides access to the storedsample. The samples may be accessible by certain vendors such as, forexample, smartcard 100 transaction account provider system, an issuersystem, a merchant system, a smartcard issuer system, an employer, afinancial institution, a non-financial institution, a loyalty-pointprovider, a company, the military, the government, a school, a travelentity, a transportation authority, and/or a security company.

The smartcard of the invention may include a particular security systemwherein the security system incorporates a particular biometric system.As shown in FIG. 22, smartcard 100 may include a biometric securitysystem 2202 configured for facilitating biometric security using, forexample, fingerprint samples. As used herein, fingerprint samples mayinclude samples of one or more fingerprints, thumbprints, palm prints,footprints, and/or any portion thereof. Biometric security system 2202may include a biometric sensor 2204 which may be configured with asensor and/or other hardware and/or software for acquiring and/orprocessing the biometric data from the person such as, for example,optical scanning, capacitance scanning, or otherwise sensing the portionof cardmember. In one embodiment, biometric sensor 2204 of the securitysystem 2202 may scan a finger of a cardmember in order to acquire hisfingerprint characteristics into smartcard 100. Biometric sensor 2204may be in communication with integrated circuit 110 such that IC 110receives the fingerprint information and transmits a signal to CPU 202to facilitate activating the operation of smartcard 100. A power source(e.g., VCC contact 106(a)) may be in communication with biometric sensor2204 and IC 110 to provide the desired power for operation of thebiometric security system components.

In one exemplary application of smartcard 100 incorporating biometricsecurity system 2202, the user may place his finger on the biometricsensor to initiate the mutual authentication process between smartcard100 and smartcard reader 2500, and/or to provide verification of theuser's identity. Smartcard 100 may digitize the fingerprint and compareit against a digitized fingerprint stored in a database (e.g., securityEEPROM 212) included on smartcard 100. The fingerprint information mayadditionally be compared with information from one or more third-partydatabases communicating with smartcard 100 through any communicationsoftware and/or hardware, including for example, smartcard reader 2500,a Universal Serial Bus (USB) connection, a wireless connection, acomputer, a network and/or any other means for communicating. Thistransfer of information may include use of encryption, decryption,security keys, digital certificates and/or other security devices toconfirm the security of the sample. Smartcard 100 may additionallycommunicate with third-party databases to facilitate a comparisonbetween smartcard 100 identifier and other smartcard identifiers storedwith the biometric samples. As used herein, compare, comparison andsimilar terms may include determining similarities, differences,existence of elements, non-existence of elements and/or the like.

CPU 202 may facilitate the local comparison to authenticate thebiometric and validate the information. Any of the embodiments mayalternatively or additionally include remote comparisons performed orcontrolled by one or more third-party security vendors. One or morecomparison techniques and/or technologies may be used for comparisons.For example, for fingerprint comparisons, CPU 202 may utilize anexisting database to compare fingerprint minutia such as, for example,ridge endings, bifurcation, lakes or enclosures, short ridges, dots,spurs and crossovers, pore size and location, Henry System categoriessuch as loops, whorls, and arches, and/or any other method known in theart for fingerprint comparisons.

Smartcard 100 may additionally be configured with secondary securityprocedures to confirm that fake biometric samples may be not being used.For example, to detect the use of fake fingers, smartcard 100 may befurther configured to measure blood flow, to check for correctly alignedridges at the edges of the fingers, and/or any other secondary procedureto reduce biometric security fraud. Other security procedures forensuring the authenticity of biometric samples may include monitoringpupil dilation for retinal and/or iris scans, pressure sensors, blinkingsensors, human motion sensors, body heat sensors, eyeball pressuresensors and/or any other procedures known in the art for authenticatingthe authenticity of biometric samples.

After verifying the biometric information, smartcard 100 and smartcardreader 2500 may begin authentication, and the transaction may proceedaccordingly. However, the invention contemplates that the verificationof biometric information may occur at any point in the transaction suchas, for example, after the mutual authentication. At any point in thetransaction, the system may additionally request cardmember to enter aPIN and/or other identifier associated with the transaction accountand/or biometric sample to provide further verification of cardmember'sidentification. As part of the transaction, cardmember payer may berequested to select from one of the financial accounts, loyaltyaccounts, credit accounts, debit account, and/or other accountsassociated with the biometric sample. The user may be presented with alist of account options on a display associated with smartcard reader2500, smartcard 100, a third-party security device and/or any otherfinancial or transaction device association with a transaction. Inanother embodiment, a payee may select one of the accounts. For example,a department store payee may manually and/or automatically select adepartment store issued account, if available, for a transaction.

In another exemplary embodiment, biometric security system 2202 may beconfigured for facilitating biometric security using facial recognitionor recognition of any other body part or object. As discussed herein,facial recognition may include recognition of any facial featuresobtained through a facial scan such as, for example, the eyes, nose,cheeks, jaw line, forehead, chin, ear features, head shape, hairline,neck features, shoulder height, forehead slope, lip shape, distancebetween the ears and/or any portion thereof. Biometric security system2202 may include a biometric sensor 2204 which may be configured with avideo camera, optical scanner, imaging radar, ultraviolet imaging and/orother hardware and/or software for acquiring the biometric data from theperson such as, for example video scanning, optical scanning orotherwise sensing any portion of cardmember. In one embodiment,biometric sensor 2204 of the security system 2202 may scan the face of acardmember in order to acquire his facial characteristics into smartcard100. Biometric sensor 2204 may be in communication with IC 110 such thatsensor 2204 receives the facial information and transmits a signal toCPU 202 to facilitate activating the operation of smartcard 100. A powersource (e.g., VCC contact 106(a)) may be in communication with biometricsensor 2204 and IC 110 to provide the desired power for operation of thebiometric security system components.

In one exemplary application of smartcard 100 incorporating biometricsecurity system 2202, system 2202 may scan the facial features of thecardmember to initiate the mutual authentication process betweensmartcard 100 and smartcard reader 2500, and/or to provide verificationof the user's identity. Security system 2202 may be configured such thatcardmember may stand at least two-feet away from sensor 2204.Additionally, sensor 2204 may be configured to detect facial features ofa user turned at least 30 degrees toward the camera.

Smartcard 100 may digitize the facial scan and compare it against adigitized facial scan stored in a database (e.g., security EEPROM 212)included on smartcard 100. The facial scan information may additionallybe compared with information from one or more third-party databasescommunicating with smartcard 100 through any communication softwareand/or hardware, including for example, smartcard reader 2500, a USBconnection, a wireless connection, a computer, a network and/or anyother means for communicating. This transfer of information may includeuse of encryption, decryption, security keys, digital certificatesand/or other security devices to confirm the security of the sample.Smartcard 100 may additionally communicate with third-party databases tofacilitate a comparison between smartcard 100 identifier and othersmartcard identifiers stored with the biometric samples.

CPU 202 may facilitate the local comparison to authenticate thebiometric and may validate the information. Any of the embodiments mayalternatively or additionally include remote comparisons performed orcontrolled by one or more third-party security vendors. One or morecomparison techniques and/or technologies may be used for comparisons.For example, for facial recognition, CPU 202 may utilize an existingdatabase to compare nodal points such as the distance between the eyes,the width of the nose, the jaw line, and the depth of the user's eyesockets. While only some types of nodal points are listed, the presentinvention recognizes that it is known that there are over 80 differentnodal points on a human face that may be used for comparison in thepresent invention. Additonally, third-party devices such as facialrecognition software and/or hardware systems may be used to facilitatefacial recognition, such as the systems developed by Viisage, Imagis,and Identix which employ complex algorithms that facilitate bothsearching facial and/or ear scans and adjusting stored data based oneyewear, facial hair, and other changes in outward facial and/or earappearance.

Smartcard 100 may additionally be configured with secondary securityprocedures to confirm that fake biometric samples may be not being used.For example, to detect the use of fake facial features, smartcard 100may be further configured to measure blood flow, to detect a thermalpattern associated with facial features, and/or any other secondaryprocedure to reduce biometric security fraud. Other security proceduresfor ensuring the authenticity of biometric samples may includemonitoring pupil dilation for retinal and/or iris scans, pressuresensors, blinking sensors, human motion sensors, body heat sensorsand/or any other procedures known in the art for authenticating theauthenticity of biometric samples. After verifying the biometricinformation, smartcard 100 and smartcard reader 2500 may beginauthentication by any of the methods described herein.

In another exemplary embodiment, biometric security system 2202 may beconfigured for facilitating biometric security using voice recognition.As discussed herein, voice recognition may include recognition of voiceand/or speaker features such as, phonated excitation, whisperedexcitation, frication excitation, compression, vibration, parametricwaveforms, tone, pitch, dialect, annunciation, and/or any portionthereof. As discussed herein, these voice recognition features may becollectively referred to as a “voice print.” Biometric security system2202 may include a biometric sensor 2204 which may be configured with anaudio capture device such as a microphone, telephone, cellular phone,computer, speaker and/or other hardware and/or software for acquiringthe biometric data from the person such as, for example auditoryscanning, recording or otherwise sensing the portion of cardmember.

In one exemplary application of smartcard 100 incorporating biometricsecurity system 2202, system 2202 may capture the voice print of thecardmember to initiate the mutual authentication process betweensmartcard 100 and smartcard reader 2500, and/or to provide verificationof the user's identity. In one embodiment, biometric sensor 2204 of thesecurity system 2202 may capture a voice print, when a user recites, forexample, a pass phrase or audible PIN. Biometric sensor 2204 may be incommunication with IC 110 such that sensor 2204 receives the voice printand transmits a signal to CPU 202 to facilitate activating the operationof smartcard 100. A power source (e.g., VCC contact 106(a)) may be incommunication with biometric sensor 2204 and IC 110 to provide thedesired power for operation of the biometric security system components.

Smartcard 100 may digitize the voice print and compare it against adigitized voice print stored in a database (e.g., security EEPROM 212)included on smartcard 100. The voice print information may additionallybe compared with information from one or more third-party databasescommunicating with smartcard 100 through any communication softwareand/or hardware, including for example, smartcard reader 2500, a USBconnection, a wireless connection, a computer, a network and/or anyother means for communicating. CPU 202 may facilitate the localcomparison to authenticate the biometric and validate the information.Any of the embodiments may alternatively or additionally include remotecomparisons performed or controlled by one or more third-party securityvendors.

One or more comparison techniques and/or technologies may be used forcomparisons. For example, for voice recognition, CPU 202 may utilize anexisting database to compare the voice print by comparing voice printwaveforms in the time domain, by comparing energy content in the voiceprints across the frequency domain, by the use of stochastic modelsand/or template models, and/or by any other voice recognition methodknown in the art. This transfer of information may include use ofencryption, decryption, security keys, digital certificates and/or othersecurity devices to confirm the security of the sample. Smartcard 100may additionally communicate with third-party databases to facilitate acomparison between smartcard 100 identifier and other smartcardidentifiers stored with the biometric samples. Further, the presentinvention anticipates use of one or more third-party devices such asvoice recognition software and/or hardware systems to facilitate voiceprint comparisons, such as, for example SAFLINK and Voice SecuritySystems.

Smartcard 100 and/or any other third-party security vendor system usedin connection with smartcard 100 may additionally be configured withsecondary security procedures to confirm that fake biometric samples arenot being used. For example, to detect the use of a recorded voice,system 2202 may be further configured to detect audio noise associatedwith an electronic device and/or any other secondary procedure to thwartbiometric security fraud. After verifying the biometric information,smartcard 100 and smartcard reader 2500 may begin authentication by themethods described herein.

In another exemplary embodiment of the present invention, biometricsecurity system 2202 may be configured for facilitating biometricsecurity using signature recognition. As discussed herein, signaturerecognition may include recognition of the shape, speed, stroke, styluspressure, timing information, character height and width and/or othersignature information and/or any portion thereof during the act ofsigning. As discussed herein, these signature recognition features maybe collectively referred to as a “signature scan.” Biometric securitysystem 2202 may include a biometric sensor 2204 which may be configuredwith an LCD screen, digitizing tablet and/or other hardware and/orsoftware that facilitates digitization of biometric data from the personsuch as, for example signature scanning, recording or otherwise sensingthe signature of cardmember.

In one exemplary application of smartcard 100 incorporating biometricsecurity system 2202, system 2202 may capture the signature scan of thecardmember to initiate the mutual authentication process betweensmartcard 100 and smartcard reader 2500, and/or to provide verificationof the user's identity. In one embodiment, biometric sensor 2204 of thesecurity system 2202 may capture a signature scan, when a user signs,for example, his name or a specified word or phrase. Biometric sensor2204 may be in communication with IC 110 such that sensor 2204 receivesthe signature scan and transmits a signal to CPU 202 to facilitateactivating the operation of smartcard 100. A power source (e.g., VCCcontact 106(a)) may be in communication with biometric sensor 2204 andIC 110 to provide the desired power for operation of the biometricsecurity system components.

Smartcard 100 may digitize the signature scan and compare it against adigitized signature scan stored in a database (e.g., security EEPROM212) included on smartcard 100. The signature scan information mayadditionally be compared with information from one or more third-partydatabases communicating with smartcard 100 through any communicationsoftware and/or hardware, including for example, smartcard reader 2500,a USB connection, a wireless connection, a computer, a network and/orany other means for communicating. CPU 202 may facilitate the localcomparison to authenticate the biometric and validate the information.Any of the embodiments may alternatively or additionally include remotecomparisons performed or controlled by one or more third-party securityvendors.

For example, for voice recognition, CPU 202 may utilize an existingdatabase to compare the features of a signature scan by comparinggraphs, charts, and or other data relating to shape, speed, stroke,stylus pressure, timing information, character height and width and/orby any other signature recognition data. This transfer of informationmay include use of encryption, decryption, security keys, digitalcertificates and/or other security devices to confirm the security ofthe sample. Smartcard 100 may additionally communicate with third-partydatabases to facilitate a comparison between smartcard 100 identifierand other smartcard identifiers stored with the biometric samples.Further, the present invention anticipates use of one or morethird-party devices such as signature recognition software and/orhardware systems to facilitate signature scan comparisons, such as, forexample CyberSIGN, LCI Computer Group, and Xenetek.

Smartcard 100 and/or any other third-party security vendor system usedin connection with smartcard 100 may additionally be configured withsecondary security procedures to confirm that fake biometric samples arenot being used. For example, to detect the use of a false signaturedevice, system 2202 may be further configured to detect a thermalpattern associated with a human hand and/or any other secondaryprocedure to thwart biometric security fraud. After verifying thebiometric information, smartcard 100 and smartcard reader 2500 may beginauthentication by the methods described herein.

In another exemplary embodiment, biometric security system 2202 may beconfigured for facilitating biometric security using vascular patternrecognition. As discussed herein, vascular pattern may includerecognition of structures, depths, and other biometric reference pointsof arterial issues, vein tissues, capillary tissues, epithelial tissues,connective tissues, muscle tissues, nervous and/or other inner tissuesand/or any portion thereof. As discussed herein, these vascular patternfeatures may be collectively referred to as a “vascular scan.” Biometricsecurity system 2202 may include a biometric sensor 2204 which may beconfigured with an optical scanner, x-ray, ultrasound, computedtopography, thermal scanner and/or other hardware and/or software thatfacilitates capture of biometric data from the person such as, forexample scanning, detecting or otherwise sensing a vascular pattern ofcardmember.

In one exemplary application of smartcard 100 incorporating biometricsecurity system 2202, system 2202 may capture the vascular scan of thecardmember to initiate the mutual authentication process betweensmartcard 100 and smartcard reader 2500, and/or to provide verificationof the user's identity. In one embodiment, biometric sensor 2204 of thesecurity system 2202 may capture a vascular scan, when a user places hishand in front of an optical scanner. Biometric sensor 2204 may be incommunication with IC 110 such that sensor 2204 receives the vascularscan and transmits a signal to CPU 202 to facilitate activating theoperation of smartcard 100. A power source (e.g., VCC contact 106(a))may be in communication with biometric sensor 2204 and IC 110 to providethe desired power for operation of the biometric security systemcomponents.

Smartcard 100 may digitize the vascular scan based on biometricreference points and compare it against a digitized vascular scan storedin a database (e.g., security EEPROM 212) included on smartcard 100. Thevascular scan information may additionally be compared with informationfrom one or more third-party databases communicating with smartcard 100through any communication software and/or hardware, including forexample, smartcard reader 2500, a USB connection, a wireless connection,a computer, a network and/or any other means for communicating. CPU 202may facilitate the local comparison to authenticate the biometric andvalidate the information. Any of the embodiments may alternatively oradditionally include remote comparisons performed or controlled by oneor more third-party security vendors.

For example, for vascular pattern recognition, CPU 202 may utilize anexisting database to compare the vascular scan by comparing biometricreference points, vascular coordinates, vascular and/or tissue lengths,widths and depths; blood pressure including waveforms, dicrotic notches,diastolic pressure, systolic pressure, anacrotic notches and pulsepressure, and/or any other characteristic of vascular and/or tissuepatterns. This transfer of information may include use of encryption,decryption, security keys, digital certificates and/or other securitydevices to confirm the security of the sample. Smartcard 100 mayadditionally communicate with third-party databases to facilitate acomparison between smartcard 100 identifier and other smartcardidentifiers stored with the biometric samples. Further, the presentinvention anticipates use of one or more third-party devices such asvascular pattern recognition software and/or hardware systems tofacilitate vascular scan comparisons, such as, for example VEIDInternational, Identica and ABT Advanced Biometric Technologies.

Smartcard 100 and/or any other third-party security vendor system usedin connection with smartcard 100 may additionally be configured withsecondary security procedures to confirm that fake biometric samples arenot being used. For example, to detect the use of a false vascularpatterns, system 2202 may be further configured to detect a thermalpattern associated with vascular patterns and/or any other secondaryprocedure to thwart biometric security fraud. After verifying thebiometric information, smartcard 100 and smartcard reader 2500 may beginauthentication by the methods described herein.

In another exemplary embodiment, biometric security system 2202 may beconfigured for facilitating biometric security using DNA biometrics. Asdiscussed herein, DNA biometrics may include recognition of structures,gene sequences, and other genetic characteristics of skin tissue, hairtissue, and/or any other human tissue and/or any portion thereofcontaining genetic information. As discussed herein, these geneticfeatures may be collectively referred to as a “DNA scan.” Biometricsecurity system 2202 may include a biometric sensor 2204 which may beconfigured with an infrared optical sensor, a chemical sensor and/orother hardware and/or software that facilitates capture of biometricdata from the person such as, for example scanning, detecting orotherwise sensing a DNA scan of cardmember.

In one exemplary application of smartcard 100 incorporating biometricsecurity system 2202, system 2202 may capture the DNA scan of thecardmember to initiate the mutual authentication process betweensmartcard 100 and smartcard reader 2500, and/or to provide verificationof the user's identity. In one embodiment, biometric sensor 2204 of thesecurity system 2202 may capture a DNA scan, when a user submits geneticmaterial to sensor 2204. Biometric sensor 2204 may be in communicationwith IC 110 such that sensor 2204 receives the DNA scan and transmits asignal to CPU 202 to facilitate activating the operation of smartcard100. A power source (e.g., VCC contact 106(a)) may be in communicationwith biometric sensor 2204 and IC 110 to provide the desired power foroperation of the biometric security system components.

Smartcard 100 may digitize the DNA scan based on genetic informationreference points and compare it against a digitized DNA scan stored in adatabase (e.g., security EEPROM 212) included on smartcard 100. The DNAscan information may additionally be compared with information from oneor more third-party databases communicating with smartcard 100 throughany communication software and/or hardware, including for example,smartcard reader 2500, a USB connection, a wireless connection, acomputer, a network and/or any other means for communicating. CPU 202may facilitate the local comparison to authenticate the biometric andvalidate the information. Any of the embodiments may alternatively oradditionally include remote comparisons performed or controlled by oneor more third-party security vendors.

For example, for DNA recognition, CPU 202 may utilize an existingdatabase to compare the DNA scan by comparing nucleotides, codesequences, regulatory regions, initiation and stop codons, exon/intronborders, and/or any other characteristics of DNA. This transfer ofinformation may include use of encryption, decryption, security keys,digital certificates and/or other security devices to confirm thesecurity of the sample. Smartcard 100 may additionally communicate withthird-party databases to facilitate a comparison between smartcard 100identifier and other smartcard identifiers stored with the biometricsamples. Further, the present invention anticipates use of one or morethird-party devices such as DNA recognition software and/or hardwaresystems to facilitate DNA scan comparisons, such as, for example AppliedDNA Sciences.

Smartcard 100 and/or any other third-party security vendor system usedin connection with smartcard 100 may additionally be configured withsecondary security procedures to confirm that fake biometric samples arenot being used. For example, to detect the use false DNA, system 2202may be further configured to take a DNA sample directly off a userand/or any other secondary procedure to thwart biometric security fraud.After verifying the biometric information, smartcard 100 and smartcardreader 2500 may begin authentication by the methods described herein.

In another exemplary embodiment, biometric security system 2202 may beconfigured for facilitating biometric security using hand geometrybiometrics. As discussed herein, hand geometry biometrics may includerecognition of hand geometry parameters, such as, for example, handshape, finger length, finger thickness, finger curvature and/or anyportion thereof. As discussed herein, these hand geometry features maybe collectively referred to as a “hand geometry scan.” Biometricsecurity system 2202 may include a biometric sensor 2204 which may beconfigured with an infrared optical sensor, a three-dimensional imagingsystem and/or other hardware and/or software that facilitates capture ofbiometric data from the person such as, for example scanning, detectingor otherwise sensing a hand geometry scan of cardmember.

In one exemplary application of smartcard 100 incorporating biometricsecurity system 2202, system 2202 may capture the hand geometry scan ofthe cardmember to initiate the mutual authentication process betweensmartcard 100 and smartcard reader 2500, and/or to provide verificationof the user's identity. In one embodiment, biometric sensor 2204 of thesecurity system 2202 may capture a hand geometry scan, when a userplaces his hand in front of an optical scanner. Biometric sensor 2204may be in communication with IC 110 such that sensor 2204 receives thehand geometry scan and transmits a signal to CPU 202 to facilitateactivating the operation of smartcard 100. A power source (e.g., VCCcontact 106(a)) may be in communication with biometric sensor 2204 andIC 110 to provide the desired power for operation of the biometricsecurity system components.

Smartcard 100 may digitize the hand geometry scan based on hand geometryparameters and compare it against a digitized hand geometry scan storedin a database (e.g., security EEPROM 212) included on smartcard card100. The hand geometry scan information may additionally be comparedwith information from one or more third-party databases communicatingwith smartcard 100 through any communication software and/or hardware,including for example, smartcard reader 2500, a USB connection, awireless connection, a computer, a network and/or any other means forcommunicating. CPU 202 may facilitate the local comparison toauthenticate the biometric and validate the information. Any of theembodiments may alternatively or additionally include remote comparisonsperformed or controlled by one or more third-party security vendors.

For example, for hand geometry recognition, CPU 202 may utilize anexisting database to compare hand shape, finger length, fingerthickness, finger curvature and/or any other of the 90 different handgeometry parameters known in the art. This transfer of information mayinclude use of encryption, decryption, security keys, digitalcertificates and/or other security devices to confirm the security ofthe sample. Smartcard 100 may additionally communicate with third-partydatabases to facilitate a comparison between smartcard 100 identifierand other smartcard identifiers stored with the biometric samples.Further, the present invention anticipates use of one or morethird-party devices such as hand geometry recognition software and/orhardware systems to facilitate hand geometry scan comparisons, such as,for example IR Recognition Services and Human Recognition Services.

Smartcard 100 and/or any other third-party security vendor system usedin connection with smartcard 100 may additionally be configured withsecondary security procedures to confirm that fake biometric samples arenot being used. For example, to detect the use of false hands, system2202 may be further configured to measure blood flow, to detect bodyheat and/or any other secondary procedure to thwart biometric securityfraud. After verifying the biometric information, smartcard 100 andsmartcard reader 2500 may begin authentication by the methods describedherein.

In another exemplary embodiment, biometric security system 2202 may beconfigured for facilitating biometric security using auditory emissionsbiometrics. As discussed herein, auditory emissions biometrics mayinclude emissions that an ear generates when stimulated by sound, suchas vibrations and reverberated sound waves and/or any portion thereof.As discussed herein, these auditory emissions features may becollectively referred to as an “auditory emissions scan.” Biometricsecurity system 2202 may include a biometric sensor 2204 which may beconfigured with an infrared optical sensor, an auditory sensor, anauditory generator and/or other hardware and/or software thatfacilitates the capture of biometric data from the person such as, forexample sound generating, scanning, detecting or otherwise sensing anauditory emissions scan of cardmember.

In one exemplary application of smartcard 100 incorporating biometricsecurity system 2202, system 2202 may capture the auditory emissionsscan of the cardmember to initiate the mutual authentication processbetween smartcard 100 and smartcard reader 2500, and/or to provideverification of the user's identity. In one embodiment, biometric sensor2204 of the security system 2202 may capture an auditory emissions scan,when a user hears an auditory stimulant and the user's auditoryemissions may be detected by biometric sensor 2204. Biometric sensor2204 may be in communication with IC 110 such that sensor 2204 receivesthe auditory emissions scan and transmits a signal to CPU 202 tofacilitate activating the operation of smartcard 100. A power source(e.g., VCC contact 106(a)) may be in communication with biometric sensor2204 and IC 110 to provide the desired power for operation of thebiometric security system components.

Smartcard 100 may digitize the auditory emissions scan based onemissions waveforms and compare it against a digitized auditoryemissions scan stored in a database (e.g., security EEPROM 212) includedon smartcard 100. The auditory emissions scan information mayadditionally be compared with information from one or more third-partydatabases communicating with smartcard 100 through any communicationsoftware and/or hardware, including for example, smartcard reader 2500,a USB connection, a wireless connection, a computer, a network and/orany other means for communicating. CPU 202 may facilitate the localcomparison to authenticate the biometric and validate the information.Any of the embodiments may alternatively or additionally include remotecomparisons performed or controlled by one or more third-party securityvendors.

For example, for auditory emissions recognition, CPU 202 may utilize anexisting database to compare emissions difference in frequency,wavelength, and/or other characteristics between the transmitted andreverberated sound waves. This transfer of information may include useof encryption, decryption, security keys, digital certificates and/orother security devices to confirm the security of the sample. Smartcard100 may additionally communicate with third-party databases tofacilitate a comparison between smartcard 100 identifier and othersmartcard identifiers stored with the biometric samples. Further, thepresent invention anticipates use of one or more third-party devicessuch as auditory emissions recognition software and/or hardware systemsto facilitate auditory emissions scan comparisons, such as, for examplethose developed by the University of Southampton.

Smartcard 100 and/or any other third-party security vendor system usedin connection with smartcard 100 may additionally be configured withsecondary security procedure to confirm that fake biometric samples arenot being used. For example, to detect the use of false auditoryemissions scans, system 2202 may be further configured to detectelectronic noise associated with a device producing electronic auditoryemissions and/or any other secondary procedure to thwart biometricsecurity fraud. After verifying the biometric information, smartcard 100and smartcard reader 2500 may begin authentication by the methodsdescribed herein.

In another exemplary embodiment, biometric security system 2202 may beconfigured for facilitating biometric security using olfactorybiometrics. As discussed herein, olfactory biometrics may includeodorants that a body generates when odor evaporates from and/or anyportion thereof. As discussed herein, these odorants may be collectivelyreferred to as “smellprint.” Biometric security system 2202 may includea biometric sensor 2204 which may be configured with an electronicsensor, a chemical sensor, and/or an electronic or chemical sensorconfigured as an array of chemical sensors, wherein each chemical sensormay detect a specific odorants, or smell. In another embodiment,biometric sensor 2204 may be configured as a gas chromatograph,spectrometer, conductivity sensor, piezoelectric sensor and/or otherhardware and/or software that facilitates the capture of biometric datafrom the person such as, for example, scanning, detecting or otherwisesensing a smellprint of cardmember.

In one exemplary application of smartcard 100 incorporating biometricsecurity system 2202, system 2202 may capture the smellprint of thecardmember to initiate the mutual authentication process betweensmartcard 100 and smartcard reader 2500 and/or to provide verificationof the user's identity. In one embodiment, biometric sensor 2204 of thesecurity system 2202 may capture a smellprint, when a user stands withinat least two feet of sensor 2204. Biometric sensor 2204 may be incommunication with IC 110 such that sensor 2204 receives the smellprintand transmits a signal to CPU 202 to facilitate activating the operationof smartcard 100. A power source (e.g., VCC contact 106(a)) may be incommunication with biometric sensor 2204 and IC 110 to provide thedesired power for operation of the biometric security system components.

Smartcard 100 may digitize the smellprint and compare it against adigitized smellprint stored in a database (e.g., security EEPROM 212)included on smartcard 100. The smellprint information may additionallybe compared with information from one or more third-party databasescommunicating with smartcard 100 through any communication softwareand/or hardware, including for example, smartcard reader 2500, a USBconnection, a wireless connection, a computer, a network and/or anyother means for communicating. CPU 202 may facilitate the localcomparison to authenticate the biometric and validate the information.Any of the embodiments may alternatively or additionally include remotecomparisons performed or controlled by one or more third-party securityvendors.

For example, for smellprints, CPU 202 may utilize an existing databaseto compare the difference in molecular structures, chemical compounds,temperature, mass differences, pressure, force, and odorants by usingstatistical, ANN and neuromorphic techniques. This transfer ofinformation may include use of encryption, decryption, security keys,digital certificates and/or other security devices to confirm thesecurity of the sample. Smartcard 100 may additionally communicate withthird-party databases to facilitate a comparison between smartcard 100identifier and other smartcard identifiers stored with the biometricsamples. Further, the present invention anticipates use of one or morethird-party devices such as smellprint recognition software and/orhardware systems to facilitate smellprint comparisons, such as, forexample those developed by Company Mastiff Electronic Systems.

Smartcard 100 and/or any other third-party security vendor system usedin connection with smartcard 100 may additionally be configured withsecondary security procedures to confirm that fake biometric samples arenot being used. For example, to detect the use of a false odorant,system 2202 may be further configured to detect man-made smells,abnormal odorants, body heat and/or any other secondary procedure tothwart biometric security fraud. After verifying the biometricinformation, smartcard 100 and smartcard reader 2500 may beginauthentication by the methods described herein.

In another exemplary embodiment, biometric security system 2202 may beconfigured for facilitating biometric security using keystroke/typingrecognition biometrics. As discussed herein, keystroke/typingrecognition biometrics may include recognition of the duration ofkeystrokes, latencies between keystrokes, inter-keystroke times, typingerror frequency, force keystrokes and/or any portion thereof. Asdiscussed herein, these features may be collectively referred to as a“keystroke scan.” Biometric security system 2202 may include a biometricsensor 2204 which may be configured with an electronic sensor, anoptical sensor, a keyboard, and/or other hardware and/or software thatfacilitates the capture of biometric data from the person such as, forexample, scanning, detecting or otherwise sensing a keystroke scan ofcardmember. A keyboard may include any type of input device, such as,for example, flat electronic pads with labels as keys, touch screens,and/or any other types of input devices.

In one exemplary application of smartcard 100 incorporating biometricsecurity system 2202, system 2202 may capture the keystroke scan of thecardmember to initiate the mutual authentication process betweensmartcard 100 and smartcard reader 2500, and/or to provide verificationof the user's identity. In one embodiment, biometric sensor 2204 of thesecurity system 2202 may capture a keystroke scan, when a user types,for example, a PIN or pass phrase into a keyboard configured with sensor2204. Biometric sensor 2204 may be in communication with IC 110 suchthat sensor 2204 receives the keystroke scan and transmits a signal toCPU 202 to facilitate activating the operation of smartcard 100. A powersource (e.g., VCC contact 106(a)) may be in communication with biometricsensor 2204 and IC 110 to provide the desired power for operation of thebiometric security system components.

Smartcard 100 may digitize the keystroke scan based on keystrokecharacteristics and compare the scan against a digitized keystroke scanstored in a database (e.g., security EEPROM 212) included on smartcard100. The keystroke scan information may additionally be compared withinformation from one or more third-party databases communicating withsmartcard 100 through any communication software and/or hardware,including for example, smartcard reader 2500, a USB connection, awireless connection, a computer, a network and/or any other means forcommunicating. CPU 202 may facilitate the local comparison toauthenticate the biometric and validate the information. Any of theembodiments may alternatively or additionally include remote comparisonsperformed or controlled by one or more third-party security vendors.

For example, for keystroke scans, CPU 202 may utilize an existingdatabase to compare the behavioral, temporal and physicalcharacteristics associated with keystrokes. This transfer of informationmay include use of encryption, decryption, security keys, digitalcertificates and/or other security devices to confirm the security ofthe sample. Smartcard 100 may additionally communicate with third-partydatabases to facilitate a comparison between smartcard 100 identifierand other smartcard identifiers stored with the biometric samples.Further, the present invention anticipates use of one or morethird-party devices such as keystroke scan recognition software and/orhardware systems to facilitate keystroke scan comparisons, such as, forexample those developed by BioPassword® BioNet Systems, LLC.

Smartcard 100 and/or any other third-party security vendor system usedin connection with smartcard 100 may additionally be configured withsecondary security procedures to confirm that fake biometric samples arenot being used. For example, to detect the use of a false keystroke,system 2202 may be further configured to detect body heat and/or anyother secondary procedure to thwart biometric security fraud. Afterverifying the biometric information, smartcard 100 and smartcard reader2500 may begin authentication by the methods described herein.

In another exemplary embodiment, biometric security system 2202 may beconfigured for facilitating biometric security using iris scanbiometrics. As discussed herein, iris scan biometrics may includerecognition of characteristics of the colored tissues surrounding thepupil, such as the rings, furrows and freckles and/or any portionthereof. As discussed herein, these characteristics may be collectivelyreferred to as an “iris scan.” Biometric security system 2202 mayinclude a biometric sensor 2204 which may be configured with a videocamera, an optical scanner, a digital camera, a charge coupled deviceand/or other hardware and/or software that facilitates the capture ofbiometric data from the person such as, for example, scanning, detectingor otherwise sensing an iris scan of cardmember.

In one exemplary application of smartcard 100 incorporating biometricsecurity system 2202, system 2202 may capture the iris scan of thecardmember to initiate the mutual authentication process betweensmartcard 100 and smartcard reader 2500, and/or to provide verificationof the user's identity. In one embodiment, biometric sensor 2204 of thesecurity system 2202 may capture an iris scan, when a user uses sensor2204 to scan his iris while he may be up to five feet away from sensor2204. Sensor 2204 may scan the user's iris through contacts, sunglasses,and/or any other type of eye glasses. Biometric sensor 2204 may be incommunication with IC 110 such that sensor 2204 receives the iris scanand transmits a signal to CPU 202 to facilitate activating the operationof smartcard 100. A power source (e.g., VCC contact 106(a)) may be incommunication with biometric sensor 2204 and IC 110 to provide thedesired power for operation of the biometric security system components.

Smartcard 100 may digitize the iris scan based on iris characteristicsand compare the scan against a digitized iris scan stored in a database(e.g., security EEPROM 212) included on smartcard 100. The iris scaninformation may additionally be compared with information from one ormore third-party databases communicating with smartcard 100 through anycommunication software and/or hardware, including for example, smartcardreader 2500, a USB connection, a wireless connection, a computer, anetwork and/or any other means for communicating. CPU 202 may facilitatethe local comparison to authenticate the biometric and validate theinformation. Any of the embodiments may alternatively or additionallyinclude remote comparisons performed or controlled by one or morethird-party security vendors.

For example, for iris scans, CPU 202 may utilize an existing database tocompare the surface patterns of the iris by localizing the boundariesand the eyelid contours of the iris and creating a phase code for thetexture sequence in the iris. This transfer of information may includeuse of encryption, decryption, security keys, digital certificatesand/or other security devices to confirm the security of the sample.Smartcard 100 may additionally communicate with third-party databases tofacilitate a comparison between smartcard 100 identifier and othersmartcard identifiers stored with the biometric samples. Further, thepresent invention anticipates use of one or more third-party devicessuch as iris scan recognition software and/or hardware systems tofacilitate iris scan comparisons, such as, for example those developedby Iridian, LG Electronics and BioCom.

Smartcard 100 and/or any other third-party security vendor system usedin connection with smartcard 100 may additionally be configured withsecondary security procedures to confirm that fake biometric samples arenot being used. For example, to detect the use of a false iris, system2202 may be further configured to vary the light shone into the eye towatch for pupil dilation, to detect body heat and/or any other secondaryprocedure to thwart biometric security fraud. After verifying thebiometric information, smartcard 100 and smartcard reader 2500 may beginauthentication by the methods described herein.

In another exemplary embodiment, biometric security system 2202 may beconfigured for facilitating biometric security using retinal scanningbiometrics. As discussed herein, retinal scanning biometrics may includerecognition of characteristics of the reflected retinal pattern of theeye, such as the location, structure, size, and shape of blood vesselsand/or any portion thereof. As discussed herein, these characteristicsmay be collectively referred to as a “retinal scan.” Biometric securitysystem 2202 may include a biometric sensor 2204 which may be configuredwith low-intensity light source, such as an infrared source, an opticalcoupler and/or other hardware and/or software that facilitates thecapture of biometric data from the person such as, for example,scanning, detecting or otherwise sensing a retinal scan of cardmember.

In one exemplary application of smartcard 100 incorporating biometricsecurity system 2202, system 2202 may capture the iris scan of thecardmember to initiate the mutual authentication process betweensmartcard 100 and smartcard reader 2500, and/or to provide verificationof the user's identity. In one embodiment, biometric sensor 2204 of thesecurity system 2202 may capture a retinal scan, when a sensor 2204shines a light source into the user's retina and detects the reflectedretina pattern. Sensor 2204 may detect a user's retinal pattern when theuser may be up to five feet away from sensor 2204. Biometric metricsensor 2204 may be in communication with IC 110 such that sensor 2204receives the retinal scan and transmits a signal to CPU 202 tofacilitate activating the operation of smartcard 100. A power source(e.g., VCC contact 106(a)) may be in communication with biometric sensor2204 and IC 110 to provide the desired power for operation of thebiometric security system components.

Smartcard 100 may digitize the retinal scan based on retinalcharacteristics and compare the scan against a digitized iris scanstored in a database (e.g., security EEPROM 212) included on smartcard100. The retinal scan information may additionally be compared withinformation from one or more third-party databases communicating withsmartcard 100 through any communication software and/or hardware,including for example, smartcard reader 2500, a USB connection, awireless connection, a computer, a network and/or any other means forcommunicating. CPU 202 may facilitate the local comparison toauthenticate the biometric and validate the information. Any of theembodiments may alternatively or additionally include remote comparisonsperformed or controlled by one or more third-party security vendors.

For example, for retinal scans, CPU 202 may utilize an existing databaseto compare the blood vessel patterns of the retina by comparing storedand detected retinal patterns. This transfer of information may includeuse of encryption, decryption, security keys, digital certificatesand/or other security devices to confirm the security of the sample.Smartcard 100 may additionally communicate with third-party databases tofacilitate a comparison between smartcard 100 identifier and othersmartcard identifiers stored with the biometric samples. Further, thepresent invention anticipates use of one or more third-party devicessuch as retinal scan recognition software and/or hardware systems tofacilitate keystroke scan comparisons, such as, for example thosedeveloped by EyeKey and Retinal Technologies.

Smartcard 100 and/or any other third-party security vendor system usedin connection with smartcard 100 may additionally be configured withsecondary security procedures to confirm that fake biometric samples arenot being used. For example, to detect the use of a false retina, system2202 may be further configured to vary the light shone into the eye towatch for pupil dilation, to detect body heat and/or any other secondaryprocedure to thwart biometric security fraud. After verifying thebiometric information, smartcard 100 and smartcard reader 2500 may beginauthentication by the methods described herein.

Additionally, smartcard 100 may be configured with a securityverification mechanism to verify whether the sampled biometric and/orrelated information is staying on smartcard 100 and/or reader 2500. Thesecurity verification mechanism may be used to safeguard biometricinformation from getting lost and/or compromised on the host system.

In an additional or alternate embodiment, smartcard reader 2500 mayinclude one or more security system, wherein the security systemincorporates one or more biometric system. As shown in FIG. 25,smartcard reader 2500 includes a biometric security system 2502configured for facilitating biometric security using a biometric sample.Biometric security system 2502 may include a biometric sensor 2504 whichmay be configured with a sensor, video camera, digital camera, opticalscanner, light source and/or other hardware and/or software foracquiring biometric data form the person such as, for example, opticalscanning, chemical sensing, or otherwise detecting the portion ofcardmember. Biometric sensor 2504 may be in communication with a sensorinterface/driver 2506 such that sensor interface 2506 receives biometricinformation and transmits a signal to CPU 202 to facilitate activatingthe operation of smartcard 100.

In one exemplary application of smartcard reader 2500 includingbiometric security system 2502, the user may submit a biometric sampleto the biometric sensor to initiate the mutual authentication processbetween smartcard 100 and smartcard reader 2500, and/or to provideverification of the user's identity. Smartcard reader 2500 may digitizethe sample and compare it against a digitized biometric sample stored ina database (e.g., database 2510) included on smartcard reader 2500. Thebiometric sample information may additionally be compared withinformation from one or more third-party databases communicating withsmartcard 100 through any communication software and/or hardware,including for example, smartcard 100, a USB connection, a wirelessconnection, a computer, a network and/or any other means forcommunicating. The transfer of information may include use of encryptiondecryption, security keys, digital certificates and/or other securitydevices to confirm the security of the sample. Smartcard reader 2500 mayadditionally communicate with third-party databases to facilitate acomparison between smartcard 100 identifier and other smartcardidentifiers stored with the biometric samples.

A smartcard reader CPU 2514 may facilitate the local comparison toauthenticate the biometric sample and may validate the information.Reader CPU 2514 may be configured in a manner similar to that of CPU202. Any of the embodiments may alternatively or additionally includeremote comparisons performed or controlled by third-party securityvendors in any way known in the art for comparing biometric data.

Smartcard reader 2500 may also be configured with secondary securityprocedures biometric to confirm that fake biometric samples are notbeing used. For example, smartcard reader 2500 may be further configuredto measure blood flow, body heat and/or any other secondary procedure toreduce biometric security fraud. Other security procedures for ensuringthe authenticity of biometric samples may include monitoring pupildilation for retinal and/or iris scans, pressure sensors, blinkingsensors, human motion sensors, and/or any other procedures known in theart for authenticating the authenticity of biometric samples. Afterverifying the biometric information, smartcard 100 and smartcard reader2500 may begin authentication, and the transaction may proceedaccordingly.

Additionally, CPU 2514 may be configured with a security verificationmechanism to verify whether the sampled biometric and/or relatedinformation is staying on smartcard 100 and/or reader 2500. The securityverification mechanism may be used to safeguard biometric informationfrom getting lost and/or compromised on the host system.

While the biometric safeguard mechanisms describe smartcard 100 and/orsmartcard reader 2500 configured with a biometric safeguard mechanism,any part of system 2400 may be equipped with a biometric safeguardsystem. For example, the invention contemplates receiving a biometricsample only at the reader, only at the smartcard, at both the smartcardand the reader, or at any other combination of location or device. Assuch, any scanner or database discussed herein may be located within orassociated with another device. For example, the smartcard may scan auser biometric, but the database used for comparison may be locatedwithin the reader or merchant server. In other embodiments, thebiometric security device may be located away from the point of saledevice and/or provide other functions. For example, the biometricsecurity device may be located near the item to be purchased or locatedin any other location within or outside of the merchant. In oneembodiment, the biometric security device may be located outside of ajewelry display to allow a user to not only start the authenticationprocess before check-out, but also to allow access to the product withinthe display case. In this regard, the biometric security device maycommunicate the information to the point of sale device so access point15 may verify that the person that entered the jewelry box is the sameperson that is now buying the jewelry. In another embodiment, anyportion of system 2400 may be configured with a biometric securitydevice. The biometric security device may be attached and/orfree-standing. Biometric security devices may be configured for localand/or third-party operation. For example, the present inventioncontemplates the use of third-party fingerprint scanning and securitydevices such as those made by Interlink Electronics, Keytronic, IdentixBiotouch, BIOmetricID, onClick, and/or other third-party vendors.

In yet another embodiment, the database used for comparison may containterrorist and/or criminal information. As used herein, terrorists and/orcriminals may include terrorists, felons, criminals, convicts, indictedpersons, insurgents, revolutionaries and/or other offenders. Theinformation may include biometric information, personal information asdescribed herein, arrest records, aliases used, country of residence,affiliations with gangs and terrorist groups, and/or any other terroristand/or criminal information.

As an example of a secondary security procedure in accordance with thepresent invention, the biometric sensor 2204, 2504 may be configured toallow a finite number of scans. For example, biometric sensor 2204, 2504may be configured to only accept data from a single scan. As a result,biometric sensor 2204, 2504 may turn off or deactivate smartcard 100and/or smartcard reader 2500 if more than one scan may be needed toobtain a biometric sample. Biometric sensor 2204, 2504 may also beconfigured to accept a preset limit of scans. For example, biometricsensor 2204, 2504 may receive three invalid biometric samples before itturns off and/or deactivates smartcard 100 and/or smartcard reader 2500.

The sensor or any other part of system 2400 may also activate uponsensing a particular type or group of biometric samples. The activationmay include sending a signal, blinking, audible sound, visual display,beeping, providing an olfactory signal, providing a physical touchsignal, and providing a temperature signal to said user and/or the like.For example, if the sensor detects information from a gold card member,the system may display a special offer on access point 15. If the sensordetects a repeat customer, the sensor may signal or notify a manager toapproach the customer and thank them for their repeat business. Inanother embodiment, the system may send a signal to a primary accountholder or any other person or device to notify them that the smartcardis being used or that a condition or rule is being violated (e.g.,charge above $1000).

Any of the biometric security systems described herein may additionallybe configured with a fraud protection log. That is, a biometric securitysystem, such as biometric security system 2204, 2504 may be configuredto log all biometric samples submitted on smartcard 100 and/or smartcardreader 2500 and store the log information on databases on and/orcommunicating with system 2204, 2504. If a new and/or differentbiometric sample is submitted that differs from the log data, biometricsecurity system 2204, 2504 may employ a security procedure such asdeactivation, warning authorities, requesting a secondary scan, and/orany other security procedure.

Biometric security system 2204, 2504 and/or the biometric securitysystem configured with system 2400 may also be configured to obtain aplurality of biometric samples for verification and/or other securitypurposes. For example, after biometric security system 2202, receives afirst biometric sample (e.g., scans one finger,) it may be configured toreceive a second biometric sample (e.g., scans a second finger). Thefirst and second biometric samples may be compared with stored biometricsamples by any of the methods disclosed herein. The second biometricsample may be the only sample compared with stored biometric samples ifthe first sample may be unreadable or inadequate.

In yet another exemplary embodiment of the present invention, smartcard100 may be equipped with a biometric safeguard mechanism. For example,in one exemplary application of smartcard 100, smartcard 100 may usebiometric security system 2202 to authorize a transaction that violatesan established rule, such as, for example, a purchase exceeding anestablished per purchase spending limit, a purchase exceeding a presetnumber of transactions, any portion of a purchase and/or transactioninvolving non-monetary funds (e.g., paying a portion of the transactionwith loyalty points, coupons, airline miles, etc.) and/or any otherpurchase and/or transaction exceeding a preset or established limit.Cardmember, a third-party issuer system a third-party financial system,a company and/or any other entity or system may establish the presetlimits. The limits may be used to prevent fraud, theft, overdrafts,and/or other non-desirable situations associated with financial andnon-financial accounts. For example, if smartcard 100 is stolen and thethief tries to make a large purchase with the card, the biometricsafeguard mechanism may prevent the purchase until cardmember's identityis verified by biometric means.

For example, smartcard 100 may activate biometric security system 2202to notify a user a user who is attempting to make a large purchase thatthe user must provide a biometric sample to verify the user's identity.By notifying, smartcard 100 may be configured to provide an audiblesignal, visual signal, optical signal, mechanical signal, vibration,blinking, signaling, beeping, providing an olfactory signal, providing aphysical touch signal, and providing a temperature signal to said userand/or provide any other notification to a cardmember. Accordingly,cardmember may provide such verification by submitting a biometricsample, for example placing his finger over biometric sensor 2204 and/orany other biometric security devices used in association with smartcard100. Biometric sensor 2204 may then digitize the biometric sample (e.g.,fingerprint) and use the digitized sample for verification by any of themethods described herein. Once cardmember's identity and/or smartcard100 smartcard chip identifier may be verified, smartcard 100 may providea transaction authorized signal to CPU 202 (and/or to IC 110) forforwarding to smartcard reader 2500. Smartcard reader 2500 may thenprovide the transaction authorized signal to Access point 15 in asimilar manner as is done with conventional PIN driven systems andAccess point 15 may process the transaction under the merchant'sbusiness as usual standard. If smartcard 100 has been stolen, thencardmember's identity may not be verified and the transaction may becancelled. Additionally, one or more further security procedures may betriggered, such as, for example, smartcard 100 may deactivate, smartcard100 may send a notification to a security vendor, smartcard 100 may beconfiscated by the merchant and/or any other security procedures may beused.

In another exemplary embodiment, smartcard reader 2500 may be equippedwith a biometric safeguard mechanism. For example, in one exemplaryapplication of smartcard reader 2500, smartcard reader 2500 may usebiometric security system 2502 to authorize a transaction that violatesan established rule, such as, for example, a purchase exceeding anestablished per purchase spending limit, a purchase exceeding a presetnumber of transactions and/or any other purchase exceeding a preset orestablished limit. Cardmember, a third-party issuer system a third-partyfinancial system, a company and/or any other entity or system mayestablish the preset limits. The limits may be used to prevent fraud,theft, overdrafts, and/or other non-desirable situations associated withfinancial and non-financial accounts. For example, if smartcard 100 isstolen and the thief tries to make a large purchase with the card, thebiometric safeguard mechanism may prevent the purchase untilcardmember's identity is verified by biometric means.

In one example, where cardmember is using a company-issued smartcard100, smartcard 100 may the have a preset limit of transactions that maybe completed before biometric verification is required. If the userexceeds the transaction limit, smartcard reader 2500 may be configuredto scan a biometric sample in order to verify the user's identity.Accordingly, the user may provide such verification by submitting abiometric sample, for example submitting a retinal scan to biometricsensor 2504. Smartcard reader 2500 may then digitize the biometricsample (e.g., retinal pattern) and use the digitized sample forverification by any of the methods described herein. Once cardmember'sidentity and/or smartcard 100 smartcard chip identifier may be verified,smartcard reader 2500 may receive a transaction authorized signal from asecurity vendor authorized to give such a signal. Smartcard reader 2500may then provide the transaction authorized signal to Access point 15 insimilar manner as is done with conventional PIN driven systems andAccess point 15 may process the transaction under the merchant'sbusiness as usual standard.

While the biometric safeguard mechanisms described herein usefingerprint scanning and retinal scanning for biometric sampleverification for exemplification, any biometric sample may be submittedfor verification, authorization and/or any other safeguard purpose. Forexample the present invention contemplates the use of voice recognition,facial and/or ear recognition, signature recognition, vascular patterns,DNA sampling, hand geomertry, auditory emissions recognition, olfactoryrecognition, keystroke/typing recognition, iris scans, and/or any otherbiometric known in the art.

In another exemplary embodiment of the present invention, one or morebiometric samples may be used to sign and/or encrypt information. Forexample, smartcard 100 and/or reader 2500 may be configured to receive abiometric sample from a user. The sample may then be digitized and used,for example, as a variable in an encryption calculation to secure data.If the user wants to retrieve the encrypted data, the user must submitthe relevant biometric sample and have it authenticated by any of themethods described herein. Once the biometric sample is authenticated,the data will be decrypted for access.

Similarly, a biometric may be used as both a private key and a publickey for encryption purposes. In one exemplary embodiment, an entity mayuse stored biometric sample information to encrypt data in a mannersimilar to a public key. The data may then be configured such that it isonly accessible by a real biometric sample, for example, by a userproffering a fingerprint sample at a reader. Upon verification of thereal biometric sample, the data may be decrypted and/or retrieved.

While the exemplary embodiments describe herein make reference toidentification, authentication and authorization processes, it should beunderstood that the biometric security systems and methods describedherein may be used for identification purposes only, authenticationpurposes only, and/or authorization purposes only. Similarly, anycombination of identification, authentication and/or authorizationsystems and methods may be used in conjunction with the presentinvention.

The preceding detailed description of exemplary embodiments of theinvention makes reference to the accompanying drawings, which show theexemplary embodiment by way of illustration. While these exemplaryembodiments are described in sufficient detail to enable those skilledin the art to practice the invention, it should be understood that otherembodiments may be realized and that logical and mechanical changes maybe made without departing from the spirit and scope of the invention.For example, the steps recited in any of the method or process claimsmay be executed in any order and are not limited to the order presented.Further, the present invention may be practiced using one or moreservers, as necessary. Thus, the preceding detailed description ispresented for purposes of illustration only and not of limitation, andthe scope of the invention is defined by the preceding description, andwith respect to the attached claims.

Benefits, other advantages, and solutions to problems have beendescribed above with regard to specific embodiments. However, thebenefits, advantages, solutions to problems, and any element(s) that maycause any benefit, advantage, or solution to occur or become morepronounced are not to be construed as critical, required, or essentialfeatures or elements of any or all the claims. As used herein, the terms“comprises,” “comprising,” or any other variations thereof, are intendedto cover a nonexclusive inclusion, such that a process, method, article,or apparatus that comprises a list of elements does not include onlythose elements but may include other elements not expressly listed orinherent to such process, method, article, or apparatus. Further, noelement described herein is required for the practice of the inventionunless expressly described as “essential” or “critical.”

1. A method for conducting a transaction using a smartcard transactionsystem having a biometric security device, said method comprising:communicating with a smartcard, wherein said smart card comprises acommon application and a second application, said second applicationstoring travel-related information associated with a cardholder, saidsecond application comprising a common file structure and a partner filestructure; determining when a transaction violates a preset transactionlimitation; notifying a user to proffer a first biometric sample and asecond biometric sample to verify an identity of said user; receiving afirst proffered biometric sample and a second proffered biometricsample, wherein said first proffered biometric sample is a differenttype of biometric sample from said second proffered biometric sample,and wherein said first proffered biometric sample and said secondproffered biometric sample are from the same user, and wherein saidfirst proffered biometric sample is required to access said common filestructure and said second proffered biometric sample is required toaccess said partner file structure; verifying said first profferedbiometric sample and a second proffered biometric sample; enabling writeaccess to a field within said partner file structure upon verificationof said second proffered biometric sample and upon request by a firstpartnering organization; denying write access to said field upon requestby a second partnering organization; enabling write access for saidfirst partnering organization and said second partnering organization toa field in said common file structure, upon verification of said firstproffered biometric sample; transferring common data to facilitate saidtransaction; transferring said travel-related information, informationrelated to said common file structure and information related to saidpartner file structure to facilitate said transaction; storing, by afirst enterprise data collection unit, update transactions and pendingtransactions associated with said smartcard and a first enterprise,wherein said first enterprise data collection unit is associated with afirst enterprise; storing, by a second enterprise data collection unit,update transactions and pending transactions associated with saidsmartcard and a second enterprise, wherein said second enterprise datacollection unit is associated with a second enterprise; interfacing withsaid smartcard and said first and second enterprise data collectionunits, at an access point; storing, by a card object database systemcoupled to said first and second enterprise data collection units, saidsmartcard information in accordance with said update transactions andsaid pending transactions, wherein said smartcard information includes acard object having an application; routing, by an update logic system,said smartcard information from said first and second enterprise datacollection units to said access point in order to effect synchronizationof said smartcard information associated with said smartcard and saidcard object database system; and, activating, by said verificationdevice, said update logic system upon verification of said firstproffered biometric sample and said second biometric sample.
 2. Themethod of claim 1, wherein said step of determining when saidtransaction violates said preset transaction limitation includesdetermining when said transaction is at least one of a purchaseexceeding an established per purchase spending limit, a purchaseexceeding a preset number of transactions, any portion of a purchaseusing non-monetary funds, and a purchase exceeding an established limit.3. The method of claim 1, wherein said step of notifying includesproviding notification by at least one of an audible signal, a visualsignal, an optical signal, a mechanical signal, a vibration, blinking,signaling, beeping, providing an olfactory signal, providing a physicaltouch signal, and providing a temperature signal to said user.
 4. Themethod of claim 1, further comprising using data representing said firstproffered biometric sample and said second proffered biometric sample asa variable in an encryption calculation to secure at least one of userdata and transaction data.
 5. The method of claim 1, further comprisingaccessing card-holder preferences relating to at least one of rentalcars, hotel reservations, and air travel in said partner file structure,upon verification of said first proffered biometric sample and saidsecond proffered biometric sample.
 6. The method of claim 1, furthercomprising using data representing said first proffered biometric sampleand said second proffered biometric sample as at least one of a privatekey and a public key to facilitate encryption security associated withsaid transaction.
 7. The method of claim 1, further comprising usingdata representing said first proffered biometric sample and said secondproffered biometric sample in generating a message authentication code.8. The method of claim 1, wherein said step of verifying includescomparing said first proffered biometric sample and said secondproffered biometric sample with a stored biometric sample.
 9. The methodof claim 8, wherein said stored biometric sample is from at least one ofa criminal, a terrorist, and a cardmember.
 10. The method of claim 1,wherein said step of verifying includes verifying said first profferedbiometric sample and said second proffered biometric sample usinginformation contained on at least one of a local database, a remotedatabase, and a third-party controlled database.
 11. The method of claim1, further comprising using data representing said first profferedbiometric sample and said second proffered biometric sample to providesubstantially simultaneous access to goods and initiation ofauthentication for a subsequent purchase of said goods.
 12. The methodof claim 1, further comprising requesting said user to submit a personalidentification number and verifying said personal identification number.13. The method of claim 1, further comprising facilitating a selectionof an account from at least two accounts.
 14. The method of claim 1,further comprising requiring a third proffered biometric sample tooverride said preset transaction limitation.
 15. The method of claim 1,further comprising writing to at least one of said partner filestructure and said common file structure to program said smartcard as aroom key.
 16. The method of claim 1, further comprising securelyrouting, by an update logic system, card information between saidenterprise data synchronization interface and said enterprise datacollection units, wherein said update logic system is coupled to anenterprise data synchronization interface, and communicating, by saidenterprise network, with said access point, wherein said enterprise datasynchronization interface is coupled to said enterprise network.
 17. Themethod of claim 16, further comprising, by a secure support clientserver, communicating with said access point, and adaptively providingcommunication functionality in accordance with the communicationfunctionality available at said access point.
 18. The method of claim17, further comprising: communicating, by a key system, with a securityserver and supplying a key in response to a request from said securityserver, wherein said key system is associated with said application;receiving, by a personalization utility, said card object andcommunicating with said security server; adding, by said personalizationutility, said key to said card object; accepting, by a card managementsystem, a card request and communicating said card request to saidpersonalization utility; and communicating, by a gather applicationmodule, with said card management system and gathering applicationinformation from a first database and a second database in accordancewith said card request, wherein said first database is associated withsaid first enterprise, and said second database is associated with saidsecond enterprise.
 19. The method of claim 1, further comprisingdisplaying a first plurality of financial accounts upon verification ofsaid first proffered biometric sample, and displaying a second pluralityof financial accounts upon verification of said second biometric sample,wherein said first plurality of financial accounts include differentfinancial accounts than said second plurality of financial accounts. 20.The method of claim 1, further comprising associating a first set ofrules with said first proffered biometric sample and displaying a firstplurality of financial accounts upon verification of said firstproffered biometric sample and said first set of rules, and associatinga second set of rules with said second proffered biometric sample anddisplaying a second plurality of financial accounts upon verification ofsaid second biometric sample and said second set of rules, wherein saidfirst plurality of financial accounts include different financialaccounts than said second plurality of financial accounts.